{"id":"CVE-2026-28799","summary":"PJSIP: Heap use-after-free in PJSIP presence subscription termination handler","details":"PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that is triggered during presence unsubscription (SUBSCRIBE with Expires=0). This issue has been patched in version 2.17.","aliases":["GHSA-8fj4-fv9f-hjpc"],"modified":"2026-04-12T20:28:22.550179Z","published":"2026-03-06T06:36:55.109Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28799.json","cwe_ids":["CWE-416"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28799.json"},{"type":"ADVISORY","url":"https://github.com/pjsip/pjproject/security/advisories/GHSA-8fj4-fv9f-hjpc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28799"},{"type":"FIX","url":"https://github.com/pjsip/pjproject/commit/e06ff6c64741cc1675fd3296615910f532f6b1a1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pjsip/pjproject","events":[{"introduced":"0"},{"fixed":"e06ff6c64741cc1675fd3296615910f532f6b1a1"}]}],"versions":["2.10","2.11","2.12","2.13","2.14","2.15","2.16"],"database_specific":{"vanir_signatures":[{"deprecated":false,"target":{"function":"set_state","file":"pjsip/src/pjsip-simple/evsub.c"},"id":"CVE-2026-28799-159797fa","signature_version":"v1","signature_type":"Function","source":"https://github.com/pjsip/pjproject/commit/e06ff6c64741cc1675fd3296615910f532f6b1a1","digest":{"length":1079,"function_hash":"113085548421252105477993818535355588220"}},{"deprecated":false,"target":{"file":"pjsip/src/pjsip-simple/evsub.c"},"id":"CVE-2026-28799-49830bcd","signature_version":"v1","signature_type":"Line","source":"https://github.com/pjsip/pjproject/commit/e06ff6c64741cc1675fd3296615910f532f6b1a1","digest":{"line_hashes":["62702997990066290748183178803648583036","3680079640130068587245711428552478486","305375029803131382619108103141345231935","208880229480497262213289548861874949238","15788682506788227829643389992342722805","271577852352687878163258122343940497120","24234324418505102304868124190955191228","96166961375039496389244889358599061819","14333187225389319331452442355621738818","300543237972165242385344514598107417353","11821126682426986753094684959865736929","11644567030546711710929301536655084880"],"threshold":0.9}},{"deprecated":false,"target":{"function":"on_tsx_state_uas","file":"pjsip/src/pjsip-simple/evsub.c"},"id":"CVE-2026-28799-620038ec","signature_version":"v1","signature_type":"Function","source":"https://github.com/pjsip/pjproject/commit/e06ff6c64741cc1675fd3296615910f532f6b1a1","digest":{"length":4085,"function_hash":"215812815267268690703619589016323548845"}}],"vanir_signatures_modified":"2026-04-12T20:28:22Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"2.17"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28799.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}