PjSip CVEs and Asterisk

Rob · April 26, 2026, 10:59am

Hi there

There are a whole bunch of PjSip CVEs listed here:

And at other places as well.
So how does this effect Asterisk?

Regards,
Rob

jcolp · April 26, 2026, 12:45pm

The latest releases we provide include fixes for all CVEs that impact Asterisk. We don’t use all of the PJSIP functionality, to the degree we don’t even build the code sometimes, and so some CVEs have no impact on Asterisk or its users.

This is the PR which included the applicable fixes:

github.com/asterisk/asterisk

res_pjsip: Address pjproject security vulnerabilities (#1837)

certified/20.7 ← mbradeen:cert-20.7-issue-1833

opened 05:09PM - 25 Mar 26 UTC

mbradeen

+199 -0

Address the following pjproject security vulnerabilities [GHSA-j29p-pvh2-pvqp -… Buffer overflow in ICE with long username](https://github.com/pjsip/pjproject/security/advisories/GHSA-j29p-pvh2-pvqp) [GHSA-8fj4-fv9f-hjpc - Heap use-after-free in PJSIP presense subscription termination header](https://github.com/pjsip/pjproject/security/advisories/GHSA-8fj4-fv9f-hjpc) [GHSA-g88q-c2hm-q7p7 - ICE session use-after-free race conditions](https://github.com/pjsip/pjproject/security/advisories/GHSA-g88q-c2hm-q7p7) [GHSA-x5pq-qrp4-fmrj - Out-of-bounds read in SIP multipart parsing](https://github.com/pjsip/pjproject/security/advisories/GHSA-x5pq-qrp4-fmrj) Resolves: #1833

Everything else is either not applicable or can’t be exploited in Asterisk.

TedM · April 26, 2026, 3:52pm

For starters none of that stuff affects any normal PBX install, it would only affect a PBX that allowed unrestricted calling from the Internet, such as someone wanting to run a so-called “cloud PBX”

And, IMHO, anyone doing that is doing it commercially, and SHOULD be buying a support contract from Sangoma (sponsors of the project) and using the Sangoma-compiled binaries of Asterisk. IMHO. And they should also be using commercial server endpoint protection and network protection and a commercial XDR that is tied into their FW and SHOULD be tracking and alerting on the nonsense from the hackers on the Internet.

For corporate/personal use you should NOT be exposing an Asterisk SIP port to the Internet. You should be connecting to your private network where your Asterisk server is with a VPN, IMHO. Or you should be connecting to it from defined IPs. For example a distributed corporate WAN of sites might do this with access lists.

I don’t think that the Debian Asterisk maintainer is really doing his or her job in any case, or you would not see all those CVE’s under the Debian umbrella pointing to Asterisk. I know the FreePBX project does NOT use the Debian binaries they use the Sangoma binaries.

Also interesting to note that the CVE’s in the list seem to all have verbage saying “such and such vulnerability fixed in newer version” and affect bullseye and sid, not bookworm and trixie. This may be an inter-distro fight with the Debian maintainers attempting to kick the ass of the asterisk maintainer to backport fixes to the earlier releases.

My $0.02

gjoseph · April 26, 2026, 4:15pm

Just FYI… Sangoma doesn’t provide pre-compiled binaries of Asterisk except as part of other products like FreePBX, PBXact and Switchvox.

Rob · April 26, 2026, 5:40pm

Hi there

So anything post 25 march is OK.
There are patches in the Asterisk 22.9.0 source pjproject directory. The same source with the same patches is used by Debian. Perhaps they overlooked something. The Debian VoIP team is rather small.

Regards,
Rob

Topic		Replies	Views
Asterisk update for PJSIP vulnerabilities in < 2.12? Asterisk SIP	5	926	April 3, 2022
Certified Asterisk Release certified-20.7-cert10 Asterisk News	2	26	March 26, 2026
Certified Asterisk Release certified-22.8-cert2 Asterisk News	2	25	March 26, 2026
Asterisk Release 21.12.2 Asterisk News	2	56	March 26, 2026
Asterisk 13.13-cert4, 13.15.1, 14.4.1 Now Available (Security Release) Asterisk	2	595	May 30, 2017

PjSip CVEs and Asterisk

Related topics