{"id":"CVE-2021-43804","details":"PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming RTCP BYE message contains a reason's length, this declared length is not checked against the actual received packet size, potentially resulting in an out-of-bound read access. This issue affects all users that use PJMEDIA and RTCP. A malicious actor can send a RTCP BYE message with an invalid reason length. Users are advised to upgrade as soon as possible. There are no known workarounds.","modified":"2026-04-11T18:45:41.952715Z","published":"2021-12-22T18:15:07.900Z","related":["GHSA-3qx3-cg72-wrh9"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202210-37"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5285"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"},{"type":"FIX","url":"https://github.com/pjsip/pjproject/commit/8b621f192cae14456ee0b0ade52ce6c6f258af1e"},{"type":"FIX","url":"https://github.com/pjsip/pjproject/security/advisories/GHSA-3qx3-cg72-wrh9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pjsip/pjproject","events":[{"introduced":"0"},{"last_affected":"513700f74787009241a11eda125284277f7dfc1c"},{"fixed":"8b621f192cae14456ee0b0ade52ce6c6f258af1e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.11.1"}]}}],"versions":["2.10","2.11","2.11.1"],"database_specific":{"vanir_signatures":[{"deprecated":false,"signature_type":"Line","id":"CVE-2021-43804-21f02fcb","source":"https://github.com/pjsip/pjproject/commit/8b621f192cae14456ee0b0ade52ce6c6f258af1e","digest":{"line_hashes":["103894779853426178814937399479854292327","130803791047819453649259362093641933649","122525548633403368601872048441338313566","129850034086129389672742617489432174938","106737951759900644022218887804782806478","169713399488750805111827828987683376328"],"threshold":0.9},"signature_version":"v1","target":{"file":"pjmedia/src/pjmedia/rtcp.c"}},{"deprecated":false,"signature_type":"Function","id":"CVE-2021-43804-252f8bbe","source":"https://github.com/pjsip/pjproject/commit/8b621f192cae14456ee0b0ade52ce6c6f258af1e","digest":{"length":456,"function_hash":"276740140683552634685635405292978235453"},"signature_version":"v1","target":{"function":"parse_rtcp_bye","file":"pjmedia/src/pjmedia/rtcp.c"}}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43804.json","vanir_signatures_modified":"2026-04-11T18:45:41Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}