CVE-2022-21722 CRITICAL

CVE-2022-21722: Potential out-of-bound read during RTP/RTCP parsing in PJSIP

Vendor Pjsip
Product pjproject
Weakness CWE-125
Published January 27, 2022
Last update November 4, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

What the vulnerability does

01Description

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.11.1 and prior, there are various cases where it is possible that certain incoming RTP/RTCP packets can potentially cause out-of-bound read access. This issue affects all users that use PJMEDIA and accept incoming RTP/RTCP. A patch is available as a commit in the `master` branch. There are no known workarounds.

Key dates

02Disclosure timeline

January 27, 2022 CVE published
November 4, 2025 Record updated

Related vulnerabilities

04Related CVE