Description
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
Published: 2026-02-06
Score: 0 Low
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The ast_coredumper script runs with root privileges and sources a configuration file that is normally owned by the asterisk user and group. Because that file is writable by non‑privileged users, an attacker can inject arbitrary Bash code that will be executed by the root process. This flaw allows the attacker to gain full system privileges, compromising confidentiality, integrity, and availability of the host. The weakness is classified as CWE‑427, indicating an improper privilege escalation due to unsanitized path or executable sourcing.

Affected Systems

Asterisk versions prior to 20.7‑cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2 are affected. All installations that include the asterisk/contrib/scripts/ast_coredumper utility and that run as root pose risk if the configuration directory is writable by the asterisk user.

Risk and Exploitability

The vulnerability carries a high exploitation potential for any user with write access to /etc/asterisk/ast_debug_tools.conf. The EPSS score is reported as less than 1 %, indicating a very low likelihood of widespread observation, but the impact of exploitation is severe. The issue is not listed in the CISA KEV catalog, so no widespread exploits are currently known. Attackers would need local or remote means to modify the configuration file; once that is achieved, running the ast_coredumper will execute the attacker’s code as root.

Generated by OpenCVE AI on April 17, 2026 at 22:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Asterisk to at least version 20.7-cert9 or later to incorporate the vendor patch.
  • Ensure that /etc/asterisk/ast_debug_tools.conf is not world‑writable; set permissions to 600 or as appropriate and confirm ownership by the asterisk user.
  • If an upgrade is not immediately possible, remove the source stanza from ast_coredumper or rewrite the script to ignore the configuration file entirely to prevent accidental execution of untrusted data.

Generated by OpenCVE AI on April 17, 2026 at 22:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4515-1 asterisk security update
History

Wed, 18 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Sangoma
Sangoma asterisk
Sangoma certified Asterisk
CPEs cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:*:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert3:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert4:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert5:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert6:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert7:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert8:*:*:*:*:*:*
Vendors & Products Sangoma
Sangoma asterisk
Sangoma certified Asterisk

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Asterisk
Asterisk asterisk
Vendors & Products Asterisk
Asterisk asterisk

Fri, 06 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
Description Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
Title ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
Weaknesses CWE-427
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N'}

Subscriptions

Asterisk Asterisk
Sangoma Asterisk Certified Asterisk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T17:26:22.216Z

Reserved: 2026-01-15T15:45:01.958Z

Link: CVE-2026-23741

cve-icon Vulnrichment

Updated: 2026-02-06T17:24:08.164Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T17:16:26.427

Modified: 2026-02-18T18:42:31.550

Link: CVE-2026-23741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:45:29Z

Weaknesses