The vulnerability identified as CVE-2026-34235 affects pjproject, an open-source multimedia communication library widely used for VoIP and real-time communication applications. Specifically, the flaw resides in the VP9 RTP unpacketizer component, which processes RTP packets containing VP9 video codec data. The vulnerability is a heap out-of-bounds read (CWE-125) caused by insufficient validation of the payload descriptor length field when parsing the VP9 Scalability Structure (SS) data. This improper bounds checking allows an attacker to craft malicious RTP packets with malformed VP9 SS data that trigger reads beyond the allocated memory buffer. Such out-of-bounds reads can lead to information disclosure by leaking sensitive memory contents or cause application crashes, potentially resulting in denial of service. The vulnerability requires no authentication or user interaction and can be exploited remotely by sending specially crafted RTP streams to vulnerable endpoints. The issue affects pjproject versions earlier than 2.17 and was addressed by improving bounds checking in the VP9 RTP unpacketizer in version 2.17. As a workaround, disabling the VP9 codec prevents the vulnerable code path from being exercised. No public exploits have been reported to date, but the medium CVSS score of 6.9 reflects the moderate risk due to the ease of remote exploitation and potential impact on confidentiality and availability.

Organizations using pjproject versions prior to 2.17 with VP9 codec enabled in their communication infrastructure face risks including potential information leakage and service disruption. Attackers can remotely exploit this vulnerability by sending crafted RTP packets, which may lead to disclosure of sensitive memory data or cause application crashes, impacting the availability of real-time communication services such as VoIP, video conferencing, and unified communications. This could degrade user experience, interrupt business operations, and expose sensitive information processed by the affected systems. Since pjproject is embedded in many communication platforms worldwide, the vulnerability could affect a broad range of industries including telecommunications, healthcare, finance, and government sectors that rely on secure multimedia communications. The lack of authentication or user interaction requirements increases the attack surface, making automated or large-scale exploitation feasible if weaponized. However, the absence of known exploits in the wild currently limits immediate widespread impact.

To mitigate CVE-2026-34235, organizations should upgrade all instances of pjproject to version 2.17 or later, where the vulnerability has been patched with improved bounds checking. If immediate upgrading is not feasible, disabling the VP9 codec in the affected applications or endpoints will prevent the vulnerable code from being executed, effectively mitigating the risk. Network-level controls such as RTP traffic filtering and anomaly detection can help identify and block suspicious VP9 RTP packets with malformed payloads. Implementing strict input validation and RTP stream integrity checks at the application layer can further reduce exposure. Regularly monitoring vendor advisories and applying security patches promptly is critical. Additionally, organizations should conduct security testing and code audits on custom integrations using pjproject to ensure no other unsafe parsing routines exist. Employing runtime protections like memory safety tools or sandboxing the media processing components can limit the impact of potential exploitation.