PJSIP patches VP9 RTP heap read flaw in 2.17
A moderate severity heap out-of-bounds read vulnerability has been disclosed in the PJSIP open-source project. The vulnerability (CVE-2026-34235) exists in the VP9 RTP unpacketizer in versions 2.16 and lower, where insufficient bounds checking on crafted VP9 payloads can cause reads beyond the allocated buffer. A patch has been made available in version 2.17.
Key Takeaways
- Affected versions are pjproject 2.16 or lower; patched version is 2.17.
- The bug sits in the VP9 RTP unpacketizer and triggers during parsing of crafted VP9 Scalability Structure data.
- PJSIP says applications with video support enabled (`PJMEDIA_HAS_VIDEO`) that receive VP9 RTP media are potentially affected.
- The published patch is commit f4c7d08 in the master branch.
- PJSIP lists disabling the VP9 codec as a workaround if it is not needed.
Why It Matters
This is an open-source media stack issue that can affect any PJSIP application with video support enabled and VP9 RTP traffic. For streaming teams using pjproject in signaling or media pipelines, the immediate task is version checking: 2.16 and earlier are affected, while 2.17 contains the fix. The broader takeaway is that codec parsing remains a security-sensitive part of the streaming stack, especially where payload descriptors are handled before video is decoded. The concrete watch item is whether downstream builds move to 2.17 or ship VP9 disabled as a stopgap.
Read full article at github.com