CVE-2026-25994

Publication date 11 February 2026

Last updated 24 March 2026

Description

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a buffer overflow vulnerability exists in PJNATH ICE Session when processing credentials with excessively long usernames.

Why is this CVE high priority?

Easily induced buffer overflow by using long username

Learn more about Ubuntu priority

Status

Show unmaintained releases

Package	Ubuntu Release	Status
pjproject	25.10 questing	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	18.04 LTS bionic	Fixed 2.7.2~dfsg-1ubuntu0.1~esm1
	16.04 LTS xenial	Fixed 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
pjproject	Upstream: 063b3a1 Upstream: 91dee06

References

Related Ubuntu Security Notices (USN)

USN-8122-1
PJSIP vulnerabilities
24 March 2026