CVE-2021-32686
Publication date 23 July 2021
Last updated 26 August 2025
Ubuntu priority
Description
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and destroy, due to the accepted socket having no group lock. Second, the SSL socket parent/listener may get destroyed during handshake. Both issues were reported to happen intermittently in heavy load TLS connections. They cause a crash, resulting in a denial of service. These are fixed in version 2.11.1.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| pjproject | 25.10 questing | Not in release |
| 25.04 plucky | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.9 · Medium
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Other references
- https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr
- https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd
- https://github.com/pjsip/pjproject/pull/2716
- https://github.com/pjsip/pjproject/releases/tag/2.11.1
- https://www.cve.org/CVERecord?id=CVE-2021-32686