{"id":"CVE-2021-32686","details":"PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and destroy, due to the accepted socket having no group lock. Second, the SSL socket parent/listener may get destroyed during handshake. Both issues were reported to happen intermittently in heavy load TLS connections. They cause a crash, resulting in a denial of service. These are fixed in version 2.11.1.","modified":"2026-04-16T04:34:43.700507202Z","published":"2021-07-23T22:15:08.373Z","related":["GHSA-cv8x-p47p-99wr"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4999"},{"type":"ADVISORY","url":"https://github.com/pjsip/pjproject/releases/tag/2.11.1"},{"type":"ADVISORY","url":"https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202210-37"},{"type":"FIX","url":"https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd"},{"type":"FIX","url":"https://github.com/pjsip/pjproject/pull/2716"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pjsip/pjproject","events":[{"introduced":"0"},{"fixed":"513700f74787009241a11eda125284277f7dfc1c"},{"fixed":"d5f95aa066f878b0aef6a64e60b61e8626e664cd"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.11.1"}]}}],"versions":["2.10","2.11"],"database_specific":{"vanir_signatures_modified":"2026-04-11T17:25:54Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}],"vanir_signatures":[{"signature_type":"Line","id":"CVE-2021-32686-1aa9a2f5","target":{"file":"pjsip/src/pjsip/sip_transport_tls.c"},"deprecated":false,"digest":{"line_hashes":["140932697934483218368548560736896499395","118590661483100439881986118029494056347","109800045936349098506431599877004810196","333802378110572779788250324956388043385","310772943856257186413723948172502760875","224128272733403774379989290698649098009","87840771572123257888973564995638004834","166626021917886657172592399676869568125","15922769180627089096563758044747423717","268175221184438253448244792497753672177","173676717555089343547707016656090378163","232909359693329530515342134654710832186","70215257314659436992649169316809525821","292474985065362497496770759530232848062"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd"},{"signature_type":"Function","id":"CVE-2021-32686-237331bf","target":{"file":"pjlib/src/pj/ssl_sock_ossl.c","function":"STATUS_FROM_SSL_ERR2"},"deprecated":false,"digest":{"length":290,"function_hash":"87514367646041548440365361619785642496"},"source":"https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd","signature_version":"v1"},{"signature_type":"Line","id":"CVE-2021-32686-386203b9","target":{"file":"pjlib/src/pj/ssl_sock_imp_common.c"},"deprecated":false,"digest":{"line_hashes":["18252950319280553483693426543786069228","256153771325731284703475544556925510496","28486398454948085019570118855059266539","84840687520626321206914727722195549037","24836787113382272882907220424600101644","217111788868000804568133233564489494216","180869881365623036533541556012049076486","100957989714258852309499275004142253360","203914491246382701039621339163175888000","304643517560155641292436211964102968802","254228794417405585502066802935062719036","237828750106208046394273232701521529733","306482421379105951389654994411652380881","38337768613726704043049742858601931390","117273955101896224412459947005131553248","251626697215728309364595781607341627422","236605522888418655452087889319971386506","3851736057392301750479759484641405530","325217257736097031867989703400966702147","262353775495221249254254858885862948541","174673647313145062211616049598516705050","7357639501596112706271712226964423753","279969968078905623100449081842446195327","156313267238760125248264234393415477193","315471734780592212280720162779133422703","219290064587887231943833916571640758316","277803332607429245718885211417402477712","5639728921897134070608683347798461870","59135043390636686412825798145536846402","62124200933345346044759977741565002179","75584437666550575501988602491338171400","272196274323430729052027437913071668867","172068513464892241047748889651970411511","272441399677960375624278177410691244135","319577583944447292638338674278287066654","283406732253606001914807607105002970376","121092600099609383125088494024538418415","160705281603272404312536191299510214478","154320342516792117629548055046429530888","114500982600112485648424173709550466412","199572938868676814216649253392299794109","4966998505740530539198435380374746241","331664288600580205957260817382836647698","306895746142300728568183355902479602117","29805631871916423103768326481700751818","87645864256688628123043392178974939878","263975314570549813388067573002904093698","38719870199303516225886312090987275943","314571086539046102525891119809930449151","159141051647402120743397424694144958745","12933776171169815247211762777838323361","57923972364010941699845409000464867579"],"threshold":0.9},"source":"https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd","signature_version":"v1"},{"signature_type":"Function","id":"CVE-2021-32686-3b275c74","target":{"file":"pjlib/src/pj/ssl_sock_imp_common.c","function":"on_handshake_complete"},"deprecated":false,"digest":{"length":2345,"function_hash":"179740838800637229524325446287628465579"},"source":"https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd","signature_version":"v1"},{"signature_type":"Function","id":"CVE-2021-32686-513505df","target":{"file":"pjlib/src/pj/ssl_sock_ossl.c","function":"verify_cb"},"deprecated":false,"digest":{"length":2246,"function_hash":"326040681455073002144112236576574798008"},"source":"https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd","signature_version":"v1"},{"signature_type":"Function","id":"CVE-2021-32686-95e73672","target":{"file":"pjlib/src/pj/ssl_sock_ossl.c","function":"ssl_reset_sock_state"},"deprecated":false,"digest":{"length":408,"function_hash":"101081476854559734136837778994810640389"},"source":"https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd","signature_version":"v1"},{"signature_type":"Function","id":"CVE-2021-32686-abcb1931","target":{"file":"pjlib/src/pj/ssl_sock_ossl.c","function":"init_openssl"},"deprecated":false,"digest":{"length":3518,"function_hash":"8118482381805178818440912739540646437"},"source":"https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd","signature_version":"v1"},{"id":"CVE-2021-32686-cd9b57f2","signature_type":"Function","target":{"file":"pjsip/src/pjsip/sip_transport_tls.c","function":"on_accept_complete2"},"deprecated":false,"digest":{"length":3519,"function_hash":"150581142830466230818483646195129574731"},"source":"https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd","signature_version":"v1"},{"signature_type":"Function","id":"CVE-2021-32686-d043f823","target":{"file":"pjlib/src/pj/ssl_sock_ossl.c","function":"STATUS_FROM_SSL_ERR"},"deprecated":false,"digest":{"length":342,"function_hash":"176161265189050759411748644744173437102"},"source":"https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd","signature_version":"v1"},{"signature_type":"Line","id":"CVE-2021-32686-fcfadffc","target":{"file":"pjlib/src/pj/ssl_sock_ossl.c"},"deprecated":false,"digest":{"line_hashes":["25870702981557702235359331534215036970","309879689108578018218600488602378821167","146318512107363663084084490694742277684","69182912726792548931281277459969331861","61813401780235946129477015088634335669","106856037958905225291139125948789309385","197619587360347980179603603530176458722","206019698915043572329565126913467165032","246314733113036202193561305329115158402","172748650871032629074435546627187938860","111979224532016398074859783752085040350","340214681985562815657174550837153639554","330866281398208881725287478605603358477","17143535986612679290498488646883922363","267807988783754689508371848145793285966","212854445774302055770536868340283611381","20136210091535369246719317876818416132","129496760434160379688840739903218862258","7967649791488245362014458996479986105","239141375550738482796984201611814997533","327362171311462519796381692660780236939","65861046223795567217604318846155610832","148956728744442382569928090772968436991","275182202617081722369416464247000629043","79461307439311330044033431554730319396","265225240964249267630706855774474903002","120252274198565432340617642159866616511","124657231027435183893810091054616546787","84996005204443456924111993027866798265","101670615829519301801938780930956882239","215851121867905594279709487323788666173","293903292578179444508830622583223106483"],"threshold":0.9},"source":"https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd","signature_version":"v1"},{"signature_type":"Function","id":"CVE-2021-32686-ffde2f3b","target":{"file":"pjlib/src/pj/ssl_sock_imp_common.c","function":"ssock_on_accept_complete"},"deprecated":false,"digest":{"length":3979,"function_hash":"84787294693304893400992381060548000027"},"source":"https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd","signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32686.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}