CVE-2017-16872

critical

Published 2017-11-17 · Modified 2026-05-13

CVSS v3

9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

7.5

VIR risk

9.8

Description

An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2.7.1. Parsing the numeric header fields in a SIP message (like cseq, ttl, port, etc.) all had the potential to overflow, either causing unintended values to be captured or, if the values were subsequently converted back to strings, a buffer overrun. This will lead to a potential exploit using carefully crafted invalid values.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://trac.pjsip.org/repos/ticket/2056

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://trac.pjsip.org/repos/milestone/release-2.7.1

OS impact

OS	Version	Status	Fixed in
debian	9.0	affected

Application impact

Vendor	Product	Versions	Fixed
teluu	pjsip	`{"endExcluding":"2.7.1"}`	`2.7.1`

References

CWEs

CWE-119

Verify integrity in audit chain (admin only). AS-IS.