CVE-2022-24786

Description

PJSIP is a free and open source multimedia communication library written in C. PJSIP versions 2.12 and prior do not parse incoming RTCP feedback RPSI (Reference Picture Selection Indication) packet, but any app that directly uses pjmedia_rtcp_fb_parse_rpsi() will be affected. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. There are currently no known workarounds.

How to fix CVE-2022-24786

To remediate CVE-2022-24786, upgrade the affected package to a fixed version below.

—upgrade to 2.12.1-r0 or later
—upgrade to 1:16.28.0~dfsg-0+deb11u1 or later
—no fix listed

Is CVE-2022-24786 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2.12.1-r0
from 0, < 1:16.28.0~dfsg-0+deb11u1
from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2022-24786
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-24786