Search for vulnerabilities
Vulnerability details: VCID-r9fg-q9t2-x7hp
Vulnerability ID VCID-r9fg-q9t2-x7hp
Aliases CVE-2022-23608
Summary PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including 2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior such as dialog list collision which eventually leading to endless loop. A patch is available in commit db3235953baa56d2fb0e276ca510fefca751643f which will be included in the next release. There are no known workarounds for this issue.
Status Published
Exploitability 0.5
Weighted Severity 8.8
Risk 4.4
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-416 Use After Free
System Score Found at
cvssv3.1 8.1 http://packetstormsecurity.com/files/166226/Asterisk-Project-Security-Advisory-AST-2022-005.html
ssvc Track http://packetstormsecurity.com/files/166226/Asterisk-Project-Security-Advisory-AST-2022-005.html
epss 0.00354 https://api.first.org/data/v1/epss?cve=CVE-2022-23608
epss 0.00354 https://api.first.org/data/v1/epss?cve=CVE-2022-23608
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2022-23608
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2022-23608
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2022-23608
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2022-23608
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2022-23608
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2022-23608
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2022-23608
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2022-23608
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2022-23608
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2022-23608
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2022-23608
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2022-23608
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2022-23608
epss 0.0046 https://api.first.org/data/v1/epss?cve=CVE-2022-23608
cvssv3.1 8.1 http://seclists.org/fulldisclosure/2022/Mar/1
ssvc Track http://seclists.org/fulldisclosure/2022/Mar/1
cvssv3.1 8.1 https://github.com/pjsip/pjproject/commit/db3235953baa56d2fb0e276ca510fefca751643f
ssvc Track https://github.com/pjsip/pjproject/commit/db3235953baa56d2fb0e276ca510fefca751643f
cvssv3.1 8.1 https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62
ssvc Track https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62
cvssv3.1 8.1 https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
ssvc Track https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
cvssv3.1 8.1 https://lists.debian.org/debian-lts-announce/2022/03/msg00040.html
ssvc Track https://lists.debian.org/debian-lts-announce/2022/03/msg00040.html
cvssv3.1 8.1 https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
ssvc Track https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
cvssv3.1 8.1 https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
ssvc Track https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
cvssv2 7.5 https://nvd.nist.gov/vuln/detail/CVE-2022-23608
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2022-23608
cvssv3.1 8.1 https://security.gentoo.org/glsa/202210-37
ssvc Track https://security.gentoo.org/glsa/202210-37
cvssv3.1 8.1 https://www.debian.org/security/2022/dsa-5285
ssvc Track https://www.debian.org/security/2022/dsa-5285
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-23608
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37706
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43299
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43300
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43301
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43302
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43303
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43804
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43845
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46837
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21722
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21723
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23608
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24763
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24764
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24786
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24792
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24793
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26498
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26651
1 http://seclists.org/fulldisclosure/2022/Mar/1
1014998 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014998
202210-37 https://security.gentoo.org/glsa/202210-37
Asterisk-Project-Security-Advisory-AST-2022-005.html http://packetstormsecurity.com/files/166226/Asterisk-Project-Security-Advisory-AST-2022-005.html
cpe:2.3:a:asterisk:certified_asterisk:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:asterisk:certified_asterisk:*:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert1:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert10:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert10:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert11:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert11:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert12:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert12:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert2:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert3:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert3:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert4:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert4:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert5:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert5:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert6:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert6:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert7:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert7:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert8:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert8:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert9:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert9:*:*:*:*:*:*
cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
CVE-2022-23608 https://nvd.nist.gov/vuln/detail/CVE-2022-23608
db3235953baa56d2fb0e276ca510fefca751643f https://github.com/pjsip/pjproject/commit/db3235953baa56d2fb0e276ca510fefca751643f
dsa-5285 https://www.debian.org/security/2022/dsa-5285
GHSA-ffff-m5fm-qm62 https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62
msg00021.html https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
msg00035.html https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
msg00038.html https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
msg00040.html https://lists.debian.org/debian-lts-announce/2022/03/msg00040.html
USN-6422-1 https://usn.ubuntu.com/6422-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://packetstormsecurity.com/files/166226/Asterisk-Project-Security-Advisory-AST-2022-005.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:53Z/ Found at http://packetstormsecurity.com/files/166226/Asterisk-Project-Security-Advisory-AST-2022-005.html
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://seclists.org/fulldisclosure/2022/Mar/1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:53Z/ Found at http://seclists.org/fulldisclosure/2022/Mar/1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pjsip/pjproject/commit/db3235953baa56d2fb0e276ca510fefca751643f
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:53Z/ Found at https://github.com/pjsip/pjproject/commit/db3235953baa56d2fb0e276ca510fefca751643f
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:53Z/ Found at https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:53Z/ Found at https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2022/03/msg00040.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:53Z/ Found at https://lists.debian.org/debian-lts-announce/2022/03/msg00040.html
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:53Z/ Found at https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:53Z/ Found at https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2022-23608
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-23608
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.gentoo.org/glsa/202210-37
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:53Z/ Found at https://security.gentoo.org/glsa/202210-37
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.debian.org/security/2022/dsa-5285
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:53Z/ Found at https://www.debian.org/security/2022/dsa-5285
Exploit Prediction Scoring System (EPSS)
Percentile 0.5701
EPSS Score 0.00354
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:31:45.778127+00:00 Alpine Linux Importer Import https://secdb.alpinelinux.org/v3.16/main.json 37.0.0