{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2021-32686","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","dateUpdated":"2025-11-04T16:09:14.172Z","dateReserved":"2021-05-12T00:00:00.000Z","datePublished":"2021-07-23T00:00:00.000Z"},"containers":{"cna":{"title":"Denial of Service in PJSIP","providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2022-10-31T00:00:00.000Z"},"descriptions":[{"lang":"en","value":"PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and destroy, due to the accepted socket having no group lock. Second, the SSL socket parent/listener may get destroyed during handshake. Both issues were reported to happen intermittently in heavy load TLS connections. They cause a crash, resulting in a denial of service. These are fixed in version 2.11.1."}],"affected":[{"vendor":"pjsip","product":"pjproject","versions":[{"version":"< 2.11.1","status":"affected"}]}],"references":[{"url":"https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr"},{"url":"https://github.com/pjsip/pjproject/pull/2716"},{"url":"https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd"},{"url":"https://github.com/pjsip/pjproject/releases/tag/2.11.1"},{"name":"DSA-4999","tags":["vendor-advisory"],"url":"https://www.debian.org/security/2021/dsa-4999"},{"name":"[debian-lts-announce] 20220328 [SECURITY] [DLA 2962-1] pjproject security update","tags":["mailing-list"],"url":"https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"},{"name":"GLSA-202210-37","tags":["vendor-advisory"],"url":"https://security.gentoo.org/glsa/202210-37"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":5.9,"baseSeverity":"MEDIUM"}}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","cweId":"CWE-362"}]}],"source":{"advisory":"GHSA-cv8x-p47p-99wr","discovery":"UNKNOWN"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr","tags":["x_transferred"]},{"url":"https://github.com/pjsip/pjproject/pull/2716","tags":["x_transferred"]},{"url":"https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd","tags":["x_transferred"]},{"url":"https://github.com/pjsip/pjproject/releases/tag/2.11.1","tags":["x_transferred"]},{"name":"DSA-4999","tags":["vendor-advisory","x_transferred"],"url":"https://www.debian.org/security/2021/dsa-4999"},{"name":"[debian-lts-announce] 20220328 [SECURITY] [DLA 2962-1] pjproject security update","tags":["mailing-list","x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"},{"name":"GLSA-202210-37","tags":["vendor-advisory","x_transferred"],"url":"https://security.gentoo.org/glsa/202210-37"},{"url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-04T16:09:14.172Z"}}]}}