## https://sploitus.com/exploit?id=B8B1865D-0B4C-59C6-9482-D7F882514095
CVE-2026-25994 โ PJNATH ICE Stack Buffer Overflow (pjsip โค 2.16)
Overview
CVE-2026-25994 is a stack-based buffer overflow vulnerability affecting the ICE (Interactive Connectivity Establishment) implementation in pjsip โค 2.16, specifically within the PJNATH component.
The vulnerability exists in the function:
pj_ice_sess_create_check_list()
located in:
pjnath/src/pjnath/ice_session.c
Vulnerability Details
The issue is caused by unsafe string handling when constructing the ICE username:
char buf[128]; // Fixed-size stack buffer
username.ptr = buf;
pj_strcpy(&username, rem_ufrag); // No bounds checking
pj_strcat2(&username, ":");
pj_strcat(&username, &ice->rx_ufrag);
Root Cause
rem_ufrag is taken directly from the SDP attribute:
a=ice-ufrag:
No length validation is performed before copying into a 128-byte stack buffer
This allows an attacker to overflow the stack, potentially overwriting:
Return address
Stack frame
Canary / alignment data
Exploitation
A malicious SIP INVITE containing a long ice-ufrag triggers the overflow
Reliable exploitation occurs with payloads โฅ ~130 bytes
In practice, ~500+ bytes (e.g., 520) provides consistent crash behavior
Affected Versions
โ Vulnerable: pjsip โค 2.16
โ Fixed: pjsip โฅ 2.17
Patch
The fix introduces proper bounds checking:
if (rem_ufrag->slen >= MAX_USERNAME_LEN ||
(rem_ufrag->slen + ice->rx_ufrag.slen + 1) >= 512)
{
return PJ_ETOOBIG;
}
Impact
Denial of Service (DoS) via segmentation fault
Potential for Remote Code Execution (RCE) depending on:
Stack protections (ASLR, NX, canaries)
Memory layout
Exploit sophistication
Proof of Concept (PoC)
The provided PoC sends a crafted SIP INVITE containing an oversized ice-ufrag to trigger the overflow.
Features
Fully synchronous (no asyncio)
Command-line configurable
Automatic retries
Realistic SDP payload
Crash detection via timeout
Running the Vulnerable Server
Start pjsua with ICE enabled:
pjsua-x86_64-unknown-linux-gnu --use-ice --local-port=5060 --log-level=5 --no-tcp --auto-answer=20
Running the PoC
python3 pjsip.py -i -p 5060 -a 3
Arguments
Option Description Default
-i, --ip Target IP address 127.0.0.1
-p, --port SIP port 5060
-a, --attempts Number of attempts 3
Expected Behavior
Vulnerable Target
No response from server
PoC reports:
TIMEOUT! Very likely that pjsua has crashed
pjsua process terminates (Segmentation fault)
Patched Target
SIP response received (e.g., 200 OK / error)
No crash occurs
Detection Tips
Monitor for abnormal termination of pjsua
Check logs for malformed or oversized ice-ufrag values
Use fuzzing to identify similar parsing issues
Mitigation
Upgrade to pjsip โฅ 2.17
Apply input validation for SDP attributes
Use stack protections:
Stack canaries
ASLR
NX (non-executable stack)
Disclaimer
This Proof of Concept is provided for educational and security research purposes only.
Do not use this code against systems you do not own or have explicit permission to test.