Description
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
Published: 2026-02-06
Score: 0 Low
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch
AI Analysis

Impact

The vulnerability affects the Asterisk open source telephony platform, where a world‑writable directory used by the ast_coredumper can be abused to cause the 'root' user to execute arbitrary commands. An attacker who can write to such a directory can control the gdb init file and the output paths of the core dumper, resulting in privilege escalation and arbitrary file overwrite. This flaw is consistent with the CWE definitions for Privilege Escalation: Local File Upload and Path Manipulation.

Affected Systems

The affected product is the Asterisk PBX supplied by Sangoma. Versions earlier than 20.7‑cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2 are vulnerable. These releases have been patched in the corresponding certified releases: 20.7‑cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

Risk and Exploitability

The EPSS score is recommended as <1%, indicating a low probability of exploitation, yet the flaw permits local attackers who can write to a world‑writable directory such as /tmp to gain root privileges. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a local user who can place a crafted gdb init file and specify output file paths that the core dumper will honor, leading to code execution as root.

Generated by OpenCVE AI on April 17, 2026 at 22:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Asterisk to a patched release—at minimum to 20.7‑cert9 or any of the certified versions 20.18.2, 21.12.1, 22.8.2, or 23.2.2.
  • If an immediate upgrade is not feasible, correct the permissions on the directory used for the ast_coredumper gdb init and output files so that it is not world‑writable; limit write access to privileged users only.
  • Continuously monitor the system for unexpected creation of gdb init files or changes to core dumper output paths and perform a security audit to ensure that no such files can be placed in the world‑writable directory.

Generated by OpenCVE AI on April 17, 2026 at 22:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4515-1 asterisk security update
History

Tue, 10 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Sangoma
Sangoma asterisk
Sangoma certified Asterisk
CPEs cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:-:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc3:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc4:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert3:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:-:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert10:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert11:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert12:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert3:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert4:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert5:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert6:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert7:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert8:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert9:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8:cert1-rc1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8:cert1-rc2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8:cert1-rc3:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8:cert1-rc4:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8:cert1-rc5:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8:cert10:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8:cert11:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8:cert12:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8:cert13:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8:cert14:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8:cert4-rc1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8:cert4-rc2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8:cert4-rc3:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:16.8:cert4-rc4:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:-:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1-rc1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert10:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert11:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert12:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert13:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert14:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert15:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert16:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert3:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert4:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert5:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert6:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert7:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8-rc1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8-rc2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert9:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert3:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert4:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert5:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert6:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert7:*:*:*:*:*:*
Vendors & Products Sangoma
Sangoma asterisk
Sangoma certified Asterisk

Tue, 10 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-379
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Asterisk
Asterisk asterisk
Vendors & Products Asterisk
Asterisk asterisk

Fri, 06 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
Description Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
Title Asterisk vulnerable to potential privilege escalation
Weaknesses CWE-427
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N'}

Subscriptions

Asterisk Asterisk
Sangoma Asterisk Certified Asterisk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T19:11:55.655Z

Reserved: 2026-01-15T15:45:01.958Z

Link: CVE-2026-23740

cve-icon Vulnrichment

Updated: 2026-02-06T17:33:48.909Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T17:16:26.290

Modified: 2026-02-10T18:25:39.730

Link: CVE-2026-23740

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-06T16:43:41Z

Links: CVE-2026-23740 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:45:29Z

Weaknesses