What is CVE-2022-24786?

CVE-2022-24786 is a critical-severity vulnerability in Pjsip Pjproject, classified under Out-of-bounds Read. CVSS score: 9.8/10. Published 2022-04-06.

How severe is CVE-2022-24786?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2022-24786 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Out-of-bounds Read in Pjsip Pjproject

CVE-2022-24786

PJSIP is a free and open source multimedia communication library written in C. PJSIP versions 2.12 and prior do not parse incoming RTCP feedback RPSI (Reference Picture Selection Indication) packet, but any app that directly uses pjmedia_r…

Vulnerability class: Buffer Overflow

EPSS: 0.007 (73.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Pjsip Pjproject — versions <= 2.12

Weakness classification (CWE)

Public proof-of-concept exploits

References

github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q
github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508
GLSA-202210-37 (vendor-advisory)
[debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update (mailing-list)
DSA-5285 (vendor-advisory)

Frequently asked questions

What is CVE-2022-24786?: CVE-2022-24786 is a critical-severity vulnerability in Pjsip Pjproject, classified under Out-of-bounds Read. CVSS score: 9.8/10. Published 2022-04-06.
How severe is CVE-2022-24786?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2022-24786 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.