{"api_version":"1","generated_at":"2026-04-23T09:41:32+00:00","cve":"CVE-2022-24786","urls":{"html":"https://cve.report/CVE-2022-24786","api":"https://cve.report/api/cve/CVE-2022-24786.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-24786","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-24786"},"summary":{"title":"CVE-2022-24786","description":"PJSIP is a free and open source multimedia communication library written in C. PJSIP versions 2.12 and prior do not parse incoming RTCP feedback RPSI (Reference Picture Selection Indication) packet, but any app that directly uses pjmedia_rtcp_fb_parse_rpsi() will be affected. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. There are currently no known workarounds.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2022-04-06 14:15:00","updated_at":"2023-02-02 18:30:00"},"problem_types":["CWE-125","CWE-787"],"metrics":[],"references":[{"url":"https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q","name":"https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q","refsource":"CONFIRM","tags":[],"title":"Potential out-of-bound read/write when parsing RTCP FB RPSI · Advisory · pjsip/pjproject · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202210-37","name":"GLSA-202210-37","refsource":"GENTOO","tags":[],"title":"PJSIP: Multiple Vulnerabilities (GLSA 202210-37) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2022/dsa-5285","name":"DSA-5285","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5285-1 asterisk","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508","name":"https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508","refsource":"MISC","tags":[],"title":"Merge pull request from GHSA-vhxv-phmx-g52q · pjsip/pjproject@11559e4 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html","name":"[debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3194-1] asterisk security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-24786","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24786","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"24786","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24786","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24786","vulnerable":"1","versionEndIncluding":"2.12","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pjsip","cpe5":"pjsip","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-24786","qid":"181225","title":"Debian Security Update for asterisk (DLA 3194-1)"},{"cve":"CVE-2022-24786","qid":"181237","title":"Debian Security Update for asterisk (DSA 5285-1)"},{"cve":"CVE-2022-24786","qid":"184895","title":"Debian Security Update for ring (CVE-2022-24786)"},{"cve":"CVE-2022-24786","qid":"502232","title":"Alpine Linux Security Update for pjproject"},{"cve":"CVE-2022-24786","qid":"504293","title":"Alpine Linux Security Update for pjproject"},{"cve":"CVE-2022-24786","qid":"710674","title":"Gentoo Linux PJSIP Multiple Vulnerabilities (GLSA 202210-37)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2022-24786","STATE":"PUBLIC","TITLE":"Potential out-of-bound read/write in PJSIP"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"pjproject","version":{"version_data":[{"version_value":"<= 2.12"}]}}]},"vendor_name":"pjsip"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"PJSIP is a free and open source multimedia communication library written in C. PJSIP versions 2.12 and prior do not parse incoming RTCP feedback RPSI (Reference Picture Selection Indication) packet, but any app that directly uses pjmedia_rtcp_fb_parse_rpsi() will be affected. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. There are currently no known workarounds."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-125: Out-of-bounds Read"}]},{"description":[{"lang":"eng","value":"CWE-787: Out-of-bounds Write"}]}]},"references":{"reference_data":[{"name":"https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q","refsource":"CONFIRM","url":"https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q"},{"name":"https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508","refsource":"MISC","url":"https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508"},{"refsource":"GENTOO","name":"GLSA-202210-37","url":"https://security.gentoo.org/glsa/202210-37"},{"refsource":"MLIST","name":"[debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"},{"refsource":"DEBIAN","name":"DSA-5285","url":"https://www.debian.org/security/2022/dsa-5285"}]},"source":{"advisory":"GHSA-vhxv-phmx-g52q","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-04-06 14:15:00","lastModifiedDate":"2023-02-02 18:30:00","problem_types":["CWE-125","CWE-787"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*","versionEndIncluding":"2.12","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"24786","Ordinal":"228149","Title":"CVE-2022-24786","CVE":"CVE-2022-24786","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"24786","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}