{"id":"CVE-2026-32942","summary":"PJSIP has ICE session use-after-free race conditions","details":"PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a  heap use-after-free vulnerability in the ICE session that occurs when there are race conditions between session destruction and the callbacks. This issue has been fixed in version 2.17.","aliases":["GHSA-g88q-c2hm-q7p7"],"modified":"2026-04-12T20:14:07.810556Z","published":"2026-03-20T03:43:37.112Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32942.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-416"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32942.json"},{"type":"ADVISORY","url":"https://github.com/pjsip/pjproject/security/advisories/GHSA-g88q-c2hm-q7p7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32942"},{"type":"REPORT","url":"https://github.com/pjsip/pjproject/issues/1451"},{"type":"FIX","url":"https://github.com/pjsip/pjproject/commit/c9caceddabda7f18337b2a82d25d65f6224b450a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pjsip/pjproject","events":[{"introduced":"0"},{"fixed":"c9caceddabda7f18337b2a82d25d65f6224b450a"}]}],"versions":["2.10","2.11","2.12","2.13","2.14","2.15","2.16"],"database_specific":{"vanir_signatures":[{"digest":{"length":2659,"function_hash":"296514060446502758595467709181786564369"},"signature_version":"v1","source":"https://github.com/pjsip/pjproject/commit/c9caceddabda7f18337b2a82d25d65f6224b450a","deprecated":false,"signature_type":"Function","target":{"function":"pj_ice_sess_on_rx_pkt","file":"pjnath/src/pjnath/ice_session.c"},"id":"CVE-2026-32942-32df1b44"},{"digest":{"line_hashes":["58899124184680440093406709697781225185","32609678313659452470089361524374167716","242839389570005040418632099149788447580","269248817349571747784645015298137589841","57377002617240061647952702063801099686","221251662232581027362163640725797558093","240264059872952741428803259352630634264","147673264322234774989299081066606070894","209794440962273896190487937812135873431","69098652646400185957232482278660567366","50415004485954827778866602291815869331","9997984114432737798625091210455704784","193354373762130370756176220494030408951","314149326416665943997582301875586050254","155174500522599857759780782297959221522","325148471560625001092765025937550140996","130986046111488472014327397698098213848"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/pjsip/pjproject/commit/c9caceddabda7f18337b2a82d25d65f6224b450a","deprecated":false,"signature_type":"Line","target":{"file":"pjnath/src/pjnath/ice_session.c"},"id":"CVE-2026-32942-85ad76dc"},{"digest":{"length":948,"function_hash":"326661568323945126796080779906543593660"},"signature_version":"v1","source":"https://github.com/pjsip/pjproject/commit/c9caceddabda7f18337b2a82d25d65f6224b450a","deprecated":false,"signature_type":"Function","target":{"function":"pj_ice_sess_send_data","file":"pjnath/src/pjnath/ice_session.c"},"id":"CVE-2026-32942-9f18bd49"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32942.json","vanir_signatures_modified":"2026-04-12T20:14:07Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"}]}