CVE-2022-23608

CRITICAL
Published Feb 22, 20224y ago · Modified Jun 17, 20262w ago
9.8 CVSS 3.1
Critical
Find Similar
Published Feb 22, 2022 4y ago
Last Modified Jun 17, 2026 2w ago

Description

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including 2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior such as dialog list collision which eventually leading to endless loop. A patch is available in commit db3235953baa56d2fb0e276ca510fefca751643f which will be included in the next release. There are no known workarounds for this issue.

CVSS Details

Base Score
9.8
Exploitability
3.9
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 19

VendorProductVersionRange
teluupjsip* ≤2.11.1
asteriskcertified_asterisk* <16.8.0
asteriskcertified_asterisk16.8.0any
asteriskcertified_asterisk16.8.0any
asteriskcertified_asterisk16.8.0any
asteriskcertified_asterisk16.8.0any
asteriskcertified_asterisk16.8.0any
asteriskcertified_asterisk16.8.0any
asteriskcertified_asterisk16.8.0any
asteriskcertified_asterisk16.8.0any
asteriskcertified_asterisk16.8.0any
asteriskcertified_asterisk16.8.0any
asteriskcertified_asterisk16.8.0any
asteriskcertified_asterisk16.8.0any
sangomaasterisk*≥16.0.0  –  <16.24.1
sangomaasterisk*≥18.0.0  –  <18.10.1
sangomaasterisk*≥19.0.0  –  <19.2.1
debiandebian_linux9.0any
debiandebian_linux10.0any

References 11

  • packetstormsecurity.com http://packetstormsecurity.com/files/166226/Asterisk-Project-Security-Advisory-AST-2022-005.html
    Third Party AdvisoryVDB Entry
  • seclists.org http://seclists.org/fulldisclosure/2022/Mar/1
    Mailing ListPatchThird Party Advisory
  • github.com https://github.com/pjsip/pjproject/commit/db3235953baa56d2fb0e276ca510fefca751643f
    PatchThird Party Advisory
  • github.com https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62
    Issue TrackingPatchThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
    Mailing ListThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2022/03/msg00040.html
    Mailing ListThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
    Mailing ListThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html
  • security.gentoo.org https://security.gentoo.org/glsa/202210-37
    Third Party Advisory
  • debian.org https://www.debian.org/security/2022/dsa-5285
    Third Party Advisory

Remediation

  • seclists.org http://seclists.org/fulldisclosure/2022/Mar/1
    Mailing ListPatchThird Party Advisory
  • github.com https://github.com/pjsip/pjproject/commit/db3235953baa56d2fb0e276ca510fefca751643f
    PatchThird Party Advisory
  • github.com https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62
    Issue TrackingPatchThird Party Advisory