CVE-2026-26203

Severity CVSS v4.0:

MEDIUM

Type:

CWE-416 Use After Free

Publication date:

19/02/2026

Last modified:

20/02/2026

Description

PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP&#39;s H.264 packetizer. The bug occurs when processing malformed H.264 bitstreams without NAL unit start codes, where the packetizer performs unchecked pointer arithmetic that can read from memory located before the allocated buffer. Version 2.17 contains a patch for the issue.

Impact

Vector 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L CVSS v4.0 Severity and Metrics:

Base Score: 5.10 MEDIUM
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L

Attack Vector (AV): Local
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): None
User Interaction (UI): None
Confidentiality (VC): None
Integrity (VI): None
Availability (VA): None
Confidentiality (SC): None
Integrity (SI): None
Availability (SA): Low

Base Score 4.0

5.10

Severity 4.0

MEDIUM

CVE-2026-26203

Description

Impact

References to Advisories, Solutions, and Tools