CVE-2021-32686

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-32686
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-32686.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-32686
Downstream
Related
Published
2021-07-23T22:15:08Z
Modified
2025-09-19T12:57:55.389387Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and destroy, due to the accepted socket having no group lock. Second, the SSL socket parent/listener may get destroyed during handshake. Both issues were reported to happen intermittently in heavy load TLS connections. They cause a crash, resulting in a denial of service. These are fixed in version 2.11.1.

References

Affected packages

Alpine:v3.14

pjproject

Package

Name
pjproject
Purl
pkg:apk/alpine/pjproject?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.11.1-r0

Affected versions

1.*

1.0.1-r0
1.4-r0
1.4-r1
1.6-r0
1.6-r1
1.6-r2
1.10-r0

2.*

2.0-r0
2.1-r0
2.2-r0
2.2.1-r0
2.3-r0
2.4-r0
2.4.5-r0
2.5.5-r0
2.5.5-r1
2.5.5-r2
2.5.5-r3
2.5.5-r4
2.7.2-r0
2.7.2-r1
2.7.2-r2
2.7.2-r3
2.7.2-r4
2.8-r0
2.9-r0

Alpine:v3.15

pjproject

Package

Name
pjproject
Purl
pkg:apk/alpine/pjproject?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.11.1-r0

Affected versions

1.*

1.0.1-r0
1.4-r0
1.4-r1
1.6-r0
1.6-r1
1.6-r2
1.10-r0

2.*

2.0-r0
2.1-r0
2.2-r0
2.2.1-r0
2.3-r0
2.4-r0
2.4.5-r0
2.5.5-r0
2.5.5-r1
2.5.5-r2
2.5.5-r3
2.5.5-r4
2.7.2-r0
2.7.2-r1
2.7.2-r2
2.7.2-r3
2.7.2-r4
2.8-r0
2.9-r0
2.11-r0

Alpine:v3.16

pjproject

Package

Name
pjproject
Purl
pkg:apk/alpine/pjproject?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.11.1-r0

Affected versions

1.*

1.0.1-r0
1.4-r0
1.4-r1
1.6-r0
1.6-r1
1.6-r2
1.10-r0

2.*

2.0-r0
2.1-r0
2.2-r0
2.2.1-r0
2.3-r0
2.4-r0
2.4.5-r0
2.5.5-r0
2.5.5-r1
2.5.5-r2
2.5.5-r3
2.5.5-r4
2.7.2-r0
2.7.2-r1
2.7.2-r2
2.7.2-r3
2.7.2-r4
2.8-r0
2.9-r0
2.11-r0

Alpine:v3.17

pjproject

Package

Name
pjproject
Purl
pkg:apk/alpine/pjproject?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.11.1-r0

Affected versions

1.*

1.0.1-r0
1.4-r0
1.4-r1
1.6-r0
1.6-r1
1.6-r2
1.10-r0

2.*

2.0-r0
2.1-r0
2.2-r0
2.2.1-r0
2.3-r0
2.4-r0
2.4.5-r0
2.5.5-r0
2.5.5-r1
2.5.5-r2
2.5.5-r3
2.5.5-r4
2.7.2-r0
2.7.2-r1
2.7.2-r2
2.7.2-r3
2.7.2-r4
2.8-r0
2.9-r0
2.11-r0

Alpine:v3.18

pjproject

Package

Name
pjproject
Purl
pkg:apk/alpine/pjproject?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.11.1-r0

Affected versions

1.*

1.0.1-r0
1.4-r0
1.4-r1
1.6-r0
1.6-r1
1.6-r2
1.10-r0

2.*

2.0-r0
2.1-r0
2.2-r0
2.2.1-r0
2.3-r0
2.4-r0
2.4.5-r0
2.5.5-r0
2.5.5-r1
2.5.5-r2
2.5.5-r3
2.5.5-r4
2.7.2-r0
2.7.2-r1
2.7.2-r2
2.7.2-r3
2.7.2-r4
2.8-r0
2.9-r0
2.11-r0

Alpine:v3.19

pjproject

Package

Name
pjproject
Purl
pkg:apk/alpine/pjproject?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.11.1-r0

Affected versions

1.*

1.0.1-r0
1.4-r0
1.4-r1
1.6-r0
1.6-r1
1.6-r2
1.10-r0

2.*

2.0-r0
2.1-r0
2.2-r0
2.2.1-r0
2.3-r0
2.4-r0
2.4.5-r0
2.5.5-r0
2.5.5-r1
2.5.5-r2
2.5.5-r3
2.5.5-r4
2.7.2-r0
2.7.2-r1
2.7.2-r2
2.7.2-r3
2.7.2-r4
2.8-r0
2.9-r0
2.11-r0

Alpine:v3.20

pjproject

Package

Name
pjproject
Purl
pkg:apk/alpine/pjproject?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.11.1-r0

Affected versions

1.*

1.0.1-r0
1.4-r0
1.4-r1
1.6-r0
1.6-r1
1.6-r2
1.10-r0

2.*

2.0-r0
2.1-r0
2.2-r0
2.2.1-r0
2.3-r0
2.4-r0
2.4.5-r0
2.5.5-r0
2.5.5-r1
2.5.5-r2
2.5.5-r3
2.5.5-r4
2.7.2-r0
2.7.2-r1
2.7.2-r2
2.7.2-r3
2.7.2-r4
2.8-r0
2.9-r0
2.11-r0

Alpine:v3.21

pjproject

Package

Name
pjproject
Purl
pkg:apk/alpine/pjproject?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.11.1-r0

Affected versions

1.*

1.0.1-r0
1.4-r0
1.4-r1
1.6-r0
1.6-r1
1.6-r2
1.10-r0

2.*

2.0-r0
2.1-r0
2.2-r0
2.2.1-r0
2.3-r0
2.4-r0
2.4.5-r0
2.5.5-r0
2.5.5-r1
2.5.5-r2
2.5.5-r3
2.5.5-r4
2.7.2-r0
2.7.2-r1
2.7.2-r2
2.7.2-r3
2.7.2-r4
2.8-r0
2.9-r0
2.11-r0

Alpine:v3.22

pjproject

Package

Name
pjproject
Purl
pkg:apk/alpine/pjproject?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.11.1-r0

Affected versions

1.*

1.0.1-r0
1.4-r0
1.4-r1
1.6-r0
1.6-r1
1.6-r2
1.10-r0

2.*

2.0-r0
2.1-r0
2.2-r0
2.2.1-r0
2.3-r0
2.4-r0
2.4.5-r0
2.5.5-r0
2.5.5-r1
2.5.5-r2
2.5.5-r3
2.5.5-r4
2.7.2-r0
2.7.2-r1
2.7.2-r2
2.7.2-r3
2.7.2-r4
2.8-r0
2.9-r0
2.11-r0

Git

github.com/pjsip/pjproject

Affected ranges

Type
GIT
Repo
https://github.com/pjsip/pjproject
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
513700f74787009241a11eda125284277f7dfc1c
Fixed
d5f95aa066f878b0aef6a64e60b61e8626e664cd

Affected versions

2.*

2.10
2.11

Database specific 

{
    "vanir_signatures": [
        {
            "id": "CVE-2021-32686-1aa9a2f5",
            "signature_type": "Line",
            "digest": {
                "line_hashes": [
                    "140932697934483218368548560736896499395",
                    "118590661483100439881986118029494056347",
                    "109800045936349098506431599877004810196",
                    "333802378110572779788250324956388043385",
                    "310772943856257186413723948172502760875",
                    "224128272733403774379989290698649098009",
                    "87840771572123257888973564995638004834",
                    "166626021917886657172592399676869568125",
                    "15922769180627089096563758044747423717",
                    "268175221184438253448244792497753672177",
                    "173676717555089343547707016656090378163",
                    "232909359693329530515342134654710832186",
                    "70215257314659436992649169316809525821",
                    "292474985065362497496770759530232848062"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "pjsip/src/pjsip/sip_transport_tls.c"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd"
        },
        {
            "id": "CVE-2021-32686-237331bf",
            "signature_type": "Function",
            "digest": {
                "function_hash": "87514367646041548440365361619785642496",
                "length": 290.0
            },
            "target": {
                "file": "pjlib/src/pj/ssl_sock_ossl.c",
                "function": "STATUS_FROM_SSL_ERR2"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd"
        },
        {
            "id": "CVE-2021-32686-386203b9",
            "signature_type": "Line",
            "digest": {
                "line_hashes": [
                    "18252950319280553483693426543786069228",
                    "256153771325731284703475544556925510496",
                    "28486398454948085019570118855059266539",
                    "84840687520626321206914727722195549037",
                    "24836787113382272882907220424600101644",
                    "217111788868000804568133233564489494216",
                    "180869881365623036533541556012049076486",
                    "100957989714258852309499275004142253360",
                    "203914491246382701039621339163175888000",
                    "304643517560155641292436211964102968802",
                    "254228794417405585502066802935062719036",
                    "237828750106208046394273232701521529733",
                    "306482421379105951389654994411652380881",
                    "38337768613726704043049742858601931390",
                    "117273955101896224412459947005131553248",
                    "251626697215728309364595781607341627422",
                    "236605522888418655452087889319971386506",
                    "3851736057392301750479759484641405530",
                    "325217257736097031867989703400966702147",
                    "262353775495221249254254858885862948541",
                    "174673647313145062211616049598516705050",
                    "7357639501596112706271712226964423753",
                    "279969968078905623100449081842446195327",
                    "156313267238760125248264234393415477193",
                    "315471734780592212280720162779133422703",
                    "219290064587887231943833916571640758316",
                    "277803332607429245718885211417402477712",
                    "5639728921897134070608683347798461870",
                    "59135043390636686412825798145536846402",
                    "62124200933345346044759977741565002179",
                    "75584437666550575501988602491338171400",
                    "272196274323430729052027437913071668867",
                    "172068513464892241047748889651970411511",
                    "272441399677960375624278177410691244135",
                    "319577583944447292638338674278287066654",
                    "283406732253606001914807607105002970376",
                    "121092600099609383125088494024538418415",
                    "160705281603272404312536191299510214478",
                    "154320342516792117629548055046429530888",
                    "114500982600112485648424173709550466412",
                    "199572938868676814216649253392299794109",
                    "4966998505740530539198435380374746241",
                    "331664288600580205957260817382836647698",
                    "306895746142300728568183355902479602117",
                    "29805631871916423103768326481700751818",
                    "87645864256688628123043392178974939878",
                    "263975314570549813388067573002904093698",
                    "38719870199303516225886312090987275943",
                    "314571086539046102525891119809930449151",
                    "159141051647402120743397424694144958745",
                    "12933776171169815247211762777838323361",
                    "57923972364010941699845409000464867579"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "pjlib/src/pj/ssl_sock_imp_common.c"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd"
        },
        {
            "id": "CVE-2021-32686-3b275c74",
            "signature_type": "Function",
            "digest": {
                "function_hash": "179740838800637229524325446287628465579",
                "length": 2345.0
            },
            "target": {
                "file": "pjlib/src/pj/ssl_sock_imp_common.c",
                "function": "on_handshake_complete"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd"
        },
        {
            "id": "CVE-2021-32686-513505df",
            "signature_type": "Function",
            "digest": {
                "function_hash": "326040681455073002144112236576574798008",
                "length": 2246.0
            },
            "target": {
                "file": "pjlib/src/pj/ssl_sock_ossl.c",
                "function": "verify_cb"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd"
        },
        {
            "id": "CVE-2021-32686-95e73672",
            "signature_type": "Function",
            "digest": {
                "function_hash": "101081476854559734136837778994810640389",
                "length": 408.0
            },
            "target": {
                "file": "pjlib/src/pj/ssl_sock_ossl.c",
                "function": "ssl_reset_sock_state"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd"
        },
        {
            "id": "CVE-2021-32686-abcb1931",
            "signature_type": "Function",
            "digest": {
                "function_hash": "8118482381805178818440912739540646437",
                "length": 3518.0
            },
            "target": {
                "file": "pjlib/src/pj/ssl_sock_ossl.c",
                "function": "init_openssl"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd"
        },
        {
            "id": "CVE-2021-32686-cd9b57f2",
            "signature_type": "Function",
            "digest": {
                "function_hash": "150581142830466230818483646195129574731",
                "length": 3519.0
            },
            "target": {
                "file": "pjsip/src/pjsip/sip_transport_tls.c",
                "function": "on_accept_complete2"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd"
        },
        {
            "id": "CVE-2021-32686-d043f823",
            "signature_type": "Function",
            "digest": {
                "function_hash": "176161265189050759411748644744173437102",
                "length": 342.0
            },
            "target": {
                "file": "pjlib/src/pj/ssl_sock_ossl.c",
                "function": "STATUS_FROM_SSL_ERR"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd"
        },
        {
            "id": "CVE-2021-32686-fcfadffc",
            "signature_type": "Line",
            "digest": {
                "line_hashes": [
                    "25870702981557702235359331534215036970",
                    "309879689108578018218600488602378821167",
                    "146318512107363663084084490694742277684",
                    "69182912726792548931281277459969331861",
                    "61813401780235946129477015088634335669",
                    "106856037958905225291139125948789309385",
                    "197619587360347980179603603530176458722",
                    "206019698915043572329565126913467165032",
                    "246314733113036202193561305329115158402",
                    "172748650871032629074435546627187938860",
                    "111979224532016398074859783752085040350",
                    "340214681985562815657174550837153639554",
                    "330866281398208881725287478605603358477",
                    "17143535986612679290498488646883922363",
                    "267807988783754689508371848145793285966",
                    "212854445774302055770536868340283611381",
                    "20136210091535369246719317876818416132",
                    "129496760434160379688840739903218862258",
                    "7967649791488245362014458996479986105",
                    "239141375550738482796984201611814997533",
                    "327362171311462519796381692660780236939",
                    "65861046223795567217604318846155610832",
                    "148956728744442382569928090772968436991",
                    "275182202617081722369416464247000629043",
                    "79461307439311330044033431554730319396",
                    "265225240964249267630706855774474903002",
                    "120252274198565432340617642159866616511",
                    "124657231027435183893810091054616546787",
                    "84996005204443456924111993027866798265",
                    "101670615829519301801938780930956882239",
                    "215851121867905594279709487323788666173",
                    "293903292578179444508830622583223106483"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "pjlib/src/pj/ssl_sock_ossl.c"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd"
        },
        {
            "id": "CVE-2021-32686-ffde2f3b",
            "signature_type": "Function",
            "digest": {
                "function_hash": "84787294693304893400992381060548000027",
                "length": 3979.0
            },
            "target": {
                "file": "pjlib/src/pj/ssl_sock_imp_common.c",
                "function": "ssock_on_accept_complete"
            },
            "deprecated": false,
            "signature_version": "v1",
            "source": "https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd"
        }
    ]
}