{"id":"CVE-2026-40614","summary":"PJSIP: Heap buffer overflow in Opus codec decoding","details":"PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames due to insufficient buffer size validation in the Opus codec decode path. The FEC decode buffers (dec_frame[].buf) were allocated based on a PCM-derived formula: (sample_rate/1000) * 60 * channel_cnt * 2. At 8 kHz mono this yields only 960 bytes, but codec_parse() can output encoded frames up to MAX_ENCODED_PACKET_SIZE (1280) bytes via opus_repacketizer_out_range(). The three pj_memcpy() calls in codec_decode() copied input-\u003esize bytes without bounds checking, causing a heap buffer overflow.","aliases":["GHSA-j59p-4xrr-fp8g"],"modified":"2026-07-15T17:59:39.610796Z","published":"2026-04-21T18:04:15.159Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-122"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40614.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40614.json"},{"type":"ADVISORY","url":"https://github.com/pjsip/pjproject/security/advisories/GHSA-j59p-4xrr-fp8g"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40614"},{"type":"FIX","url":"https://github.com/pjsip/pjproject/commit/17897e835818f8ee03b1806ddcd7b95ea16d2c0e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pjsip/pjproject","events":[{"introduced":"0"},{"fixed":"5a457451fa2712ba18e12b01738e8ff3af2b26fd"},{"fixed":"17897e835818f8ee03b1806ddcd7b95ea16d2c0e"}],"database_specific":{"cpe":"cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"2.17"}],"source":["CPE_RANGE","REFERENCES"]}}],"versions":["2.16","2.15","2.14","2.13","2.12","2.11","2.10"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40614.json","vanir_signatures_modified":"2026-07-15T17:59:39Z","vanir_signatures":[{"id":"CVE-2026-40614-3d80afd2","signature_type":"Function","signature_version":"v1","source":"https://github.com/pjsip/pjproject/commit/17897e835818f8ee03b1806ddcd7b95ea16d2c0e","target":{"file":"pjmedia/src/pjmedia-codec/opus.c","function":"codec_decode"},"deprecated":false,"digest":{"length":2310,"function_hash":"307741843741102785600521679301194435983"}},{"signature_version":"v1","source":"https://github.com/pjsip/pjproject/commit/17897e835818f8ee03b1806ddcd7b95ea16d2c0e","target":{"file":"pjmedia/src/pjmedia-codec/opus.c"},"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["40998352099753816369358150745877894729","283997858936136985669841392004727120715","138008198829269541789303943184221627525","112071054494798034324092834764551636352","314423035999086905306463896604038598321","339130684049869654880559086658401614261","136095992923886050172605195700247268605","258049715415761607482594563879393146990","179590715693958510418564809653781739286","29557106455553329204775999465476951520","262984748372042230757947587232676985996","180541227855696285522637829008824965527","161118618033905732568007519495921185160","168180776976329238916313184246250555872","158049875721016892320983271044545896346","45951835357598552472368107482868758666","254279629432487127295993042963845794608","87576862660118749219792503296618322409","268650039904163926091801771035637190969","208172665598254958365738996672419436578","64299534233488034448655406118762218409","264198096107991550228002397187107612126"]},"id":"CVE-2026-40614-50d81e9c","signature_type":"Line"},{"source":"https://github.com/pjsip/pjproject/commit/17897e835818f8ee03b1806ddcd7b95ea16d2c0e","target":{"file":"pjmedia/src/pjmedia-codec/opus.c","function":"factory_default_attr"},"deprecated":false,"digest":{"function_hash":"204094393636204851845577606587888003896","length":1015},"id":"CVE-2026-40614-99109a55","signature_type":"Function","signature_version":"v1"},{"signature_version":"v1","source":"https://github.com/pjsip/pjproject/commit/17897e835818f8ee03b1806ddcd7b95ea16d2c0e","target":{"file":"pjmedia/src/pjmedia-codec/opus.c","function":"codec_open"},"deprecated":false,"digest":{"function_hash":"9054551508075790854765153238424893437","length":5130},"id":"CVE-2026-40614-9f3ba7f9","signature_type":"Function"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}