Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN265
_____________________________________________________________________

DATE                : 06/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running pjsip presence versions prior to
                                      2.17.

=====================================================================
https://github.com/pjsip/pjproject/security/advisories/GHSA-8fj4-fv9f-hjpc
_____________________________________________________________________


Heap use-after-free in PJSIP presence subscription termination handler
High
sauwming published GHSA-8fj4-fv9f-hjpc Mar 5, 2026

Package
pjsip presence

Affected versions
2.16 or lower

Patched versions
2.17


Description

A heap use-after-free vulnerability exists in PJSIP's event
subscription framework (evsub.c) that is triggered during presence
unsubscription (SUBSCRIBE with Expires=0).


Impact

Any application that acts as a presence server (UAS) handling
SUBSCRIBE requests is affected, including those supporting presence,
MWI, and dialog-event.


Patches

The patch is available as commit e06ff6c in the master branch.


Severity
High

CVE ID
CVE-2026-28799

Weaknesses
No CWEs

Credits

    @arthurscchan arthurscchan Finder


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================