Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and 20.7-cert2 of certified-asterisk, if Asterisk attempts to send a SIP request to a URI whose host portion starts with `.1` or `[.1]`, and res_resolver_unbound is loaded, Asterisk will crash with a SEGV. To receive a patch, users should upgrade to one of the following versions: 18.24.3, 20.9.3, 21.4.3, certified-18.9-cert12, certified-20.7-cert2. Two workarounds are available. Disable res_resolver_unbound by setting `noload = res_resolver_unbound.so` in modules.conf, or set `rewrite_contact = yes` on all PJSIP endpoints. NOTE: This may not be appropriate for all Asterisk configurations.
Metrics
Affected Vendors & Products
References
History
Tue, 26 Aug 2025 18:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Sangoma
Sangoma asterisk Sangoma certified Asterisk |
|
CPEs | cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:*:*:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:-:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1-rc1:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:cert10:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:cert11:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:cert3:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:cert4:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:cert5:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:cert6:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:cert7:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8-rc1:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8-rc2:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:cert9:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc1:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc2:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:20.7:cert2:*:*:*:*:*:* |
|
Vendors & Products |
Sangoma
Sangoma asterisk Sangoma certified Asterisk |
Thu, 05 Sep 2024 19:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Thu, 05 Sep 2024 17:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and 20.7-cert2 of certified-asterisk, if Asterisk attempts to send a SIP request to a URI whose host portion starts with `.1` or `[.1]`, and res_resolver_unbound is loaded, Asterisk will crash with a SEGV. To receive a patch, users should upgrade to one of the following versions: 18.24.3, 20.9.3, 21.4.3, certified-18.9-cert12, certified-20.7-cert2. Two workarounds are available. Disable res_resolver_unbound by setting `noload = res_resolver_unbound.so` in modules.conf, or set `rewrite_contact = yes` on all PJSIP endpoints. NOTE: This may not be appropriate for all Asterisk configurations. | |
Title | A malformed Contact or Record-Route URI in an incoming SIP request can cause Asterisk to crash when res_resolver_unbound is used | |
Weaknesses | CWE-252 CWE-476 |
|
References |
|
|
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2024-09-05T18:52:42.844Z
Reserved: 2024-08-02T14:13:04.619Z
Link: CVE-2024-42491

Updated: 2024-09-05T18:52:38.660Z

Status : Analyzed
Published: 2024-09-05T18:15:05.707
Modified: 2025-08-26T17:47:36.190
Link: CVE-2024-42491

No data.

Updated: 2025-07-12T22:31:10Z