CVE-2021-43804 HIGH

CVE-2021-43804: Out-of-bounds read when parsing RTCP BYE message in PJSIP

Vendor Pjsip
Product pjproject
Weakness CWE-125
Published December 22, 2021
Last update November 4, 2025

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming RTCP BYE message contains a reason's length, this declared length is not checked against the actual received packet size, potentially resulting in an out-of-bound read access. This issue affects all users that use PJMEDIA and RTCP. A malicious actor can send a RTCP BYE message with an invalid reason length. Users are advised to upgrade as soon as possible. There are no known workarounds.

Key dates

02Disclosure timeline

December 22, 2021 CVE published
November 4, 2025 Record updated