CVE-2026-23740

EUVD-2026-5617
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
0 NONE
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
GitHub_MCNA
0 NONE
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
CISA-ADPADP
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Affected Products (NVD)
VendorProductVersion
sangomacertified_asterisk
13.13.0
sangomacertified_asterisk
13.13.0:cert1
sangomacertified_asterisk
13.13.0:cert1-rc1
sangomacertified_asterisk
13.13.0:cert1-rc2
sangomacertified_asterisk
13.13.0:cert1-rc3
sangomacertified_asterisk
13.13.0:cert1-rc4
sangomacertified_asterisk
13.13.0:cert2
sangomacertified_asterisk
13.13.0:cert3
sangomacertified_asterisk
13.13.0:rc1
sangomacertified_asterisk
13.13.0:rc2
sangomacertified_asterisk
16.8:cert1-rc1
sangomacertified_asterisk
16.8:cert1-rc2
sangomacertified_asterisk
16.8:cert1-rc3
sangomacertified_asterisk
16.8:cert1-rc4
sangomacertified_asterisk
16.8:cert1-rc5
sangomacertified_asterisk
16.8:cert10
sangomacertified_asterisk
16.8:cert11
sangomacertified_asterisk
16.8:cert12
sangomacertified_asterisk
16.8:cert13
sangomacertified_asterisk
16.8:cert14
sangomacertified_asterisk
16.8:cert4-rc1
sangomacertified_asterisk
16.8:cert4-rc2
sangomacertified_asterisk
16.8:cert4-rc3
sangomacertified_asterisk
16.8:cert4-rc4
sangomacertified_asterisk
16.8.0
sangomacertified_asterisk
16.8.0:cert1
sangomacertified_asterisk
16.8.0:cert10
sangomacertified_asterisk
16.8.0:cert11
sangomacertified_asterisk
16.8.0:cert12
sangomacertified_asterisk
16.8.0:cert2
sangomacertified_asterisk
16.8.0:cert3
sangomacertified_asterisk
16.8.0:cert4
sangomacertified_asterisk
16.8.0:cert5
sangomacertified_asterisk
16.8.0:cert6
sangomacertified_asterisk
16.8.0:cert7
sangomacertified_asterisk
16.8.0:cert8
sangomacertified_asterisk
16.8.0:cert9
sangomacertified_asterisk
18.9
sangomacertified_asterisk
18.9:cert1
sangomacertified_asterisk
18.9:cert1-rc1
sangomacertified_asterisk
18.9:cert10
sangomacertified_asterisk
18.9:cert11
sangomacertified_asterisk
18.9:cert12
sangomacertified_asterisk
18.9:cert13
sangomacertified_asterisk
18.9:cert14
sangomacertified_asterisk
18.9:cert15
sangomacertified_asterisk
18.9:cert16
sangomacertified_asterisk
18.9:cert2
sangomacertified_asterisk
18.9:cert3
sangomacertified_asterisk
18.9:cert4
sangomacertified_asterisk
18.9:cert5
sangomacertified_asterisk
18.9:cert6
sangomacertified_asterisk
18.9:cert7
sangomacertified_asterisk
18.9:cert8
sangomacertified_asterisk
18.9:cert8-rc1
sangomacertified_asterisk
18.9:cert8-rc2
sangomacertified_asterisk
18.9:cert9
sangomacertified_asterisk
20.7:cert1
sangomacertified_asterisk
20.7:cert1-rc1
sangomacertified_asterisk
20.7:cert1-rc2
sangomacertified_asterisk
20.7:cert2
sangomacertified_asterisk
20.7:cert3
sangomacertified_asterisk
20.7:cert4
sangomacertified_asterisk
20.7:cert5
sangomacertified_asterisk
20.7:cert6
sangomacertified_asterisk
20.7:cert7
sangomaasterisk
𝑥
< 20.18.2
sangomaasterisk
21.0.0 ≤
𝑥
< 21.12.1
sangomaasterisk
22.0.0 ≤
𝑥
< 22.8.2
sangomaasterisk
23.0.0 ≤
𝑥
< 23.2.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
asterisk
bullseye
vulnerable
bullseye (security)
vulnerable
sid
1:22.8.2+dfsg+~cs6.15.60671435-1
fixed
Common Weakness Enumeration
References
https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c