CVE-2026-26203 MEDIUM

CVE-2026-26203: PJSIP's pjmedia-video has use-after-free in H264 packetizer when packetizing fragmented NAL

Vendor Pjsip
Product pjmedia-video
Weakness CWE-416
Published February 19, 2026
Last update February 19, 2026

CVSS base score

5.1/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L

What the vulnerability does

01Description

PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP's H.264 packetizer. The bug occurs when processing malformed H.264 bitstreams without NAL unit start codes, where the packetizer performs unchecked pointer arithmetic that can read from memory located before the allocated buffer. Version 2.17 contains a patch for the issue.

Key dates

02Disclosure timeline

February 19, 2026 CVE published
February 19, 2026 Record updated