{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23741", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-15T15:45:01.958Z", "datePublished": "2026-02-06T16:47:19.611Z", "dateUpdated": "2026-02-06T17:26:22.216Z"}, "containers": {"cna": {"title": "ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation", "problemTypes": [{"descriptions": [{"cweId": "CWE-427", "lang": "en", "description": "CWE-427: Uncontrolled Search Path Element", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3"}], "affected": [{"vendor": "asterisk", "product": "asterisk", "versions": [{"version": "< 23.2.2", "status": "affected"}, {"version": "< 22.8.2", "status": "affected"}, {"version": "< 21.12.1", "status": "affected"}, {"version": "< 20.18.2", "status": "affected"}, {"version": "< 20.7-cert9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T16:47:19.611Z"}, "descriptions": [{"lang": "en", "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."}], "source": {"advisory": "GHSA-rvch-3jmx-3jf3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T17:22:49.844752Z", "id": "CVE-2026-23741", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T17:26:22.216Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23741", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-06T17:22:49.844752Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T17:24:08.164Z"}}], "cna": {"title": "ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation", "source": {"advisory": "GHSA-rvch-3jmx-3jf3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 0, "attackVector": "LOCAL", "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "asterisk", "product": "asterisk", "versions": [{"status": "affected", "version": "< 23.2.2"}, {"status": "affected", "version": "< 22.8.2"}, {"status": "affected", "version": "< 21.12.1"}, {"status": "affected", "version": "< 20.18.2"}, {"status": "affected", "version": "< 20.7-cert9"}]}], "references": [{"url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3", "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-427", "description": "CWE-427: Uncontrolled Search Path Element"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T16:47:19.611Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23741", "state": "PUBLISHED", "dateUpdated": "2026-02-06T17:26:22.216Z", "dateReserved": "2026-01-15T15:45:01.958Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T16:47:19.611Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*", "matchCriteriaId": "46AC3571-DD52-4F3C-98D2-3BB915498D41", "versionEndExcluding": "20.18.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*", "matchCriteriaId": "B9CB7760-849C-42CB-BF9A-A3DB40F19447", "versionEndExcluding": "21.12.1", "versionStartIncluding": "21.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*", "matchCriteriaId": "03AEEF8D-B546-4587-A236-63E2C41582FF", "versionEndExcluding": "22.8.2", "versionStartIncluding": "22.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*", "matchCriteriaId": "B036D768-9ADA-4965-A596-BEF60749C3CD", "versionEndExcluding": "23.2.2", "versionStartIncluding": "23.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:*:*:*:*:*:*:*:*", "matchCriteriaId": "44460225-C50D-414A-A2E0-F8280E1C1E1D", "versionEndIncluding": "18.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1:*:*:*:*:*:*", "matchCriteriaId": "79225576-AF7C-4099-9624-C53578A7417F", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc1:*:*:*:*:*:*", "matchCriteriaId": "29323E6E-12C9-46C7-B29C-25E0CD537A8E", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc2:*:*:*:*:*:*", "matchCriteriaId": "8E563972-78C0-40A0-83EA-6A3BA3D71946", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert2:*:*:*:*:*:*", "matchCriteriaId": "64209621-D458-432A-B0E3-C8D0B6698574", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert3:*:*:*:*:*:*", "matchCriteriaId": "B148158A-8354-41C2-A44C-2C0DAABAD217", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert4:*:*:*:*:*:*", "matchCriteriaId": "3D4D96E8-1F01-42B8-9181-67DEB12D9DD2", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert5:*:*:*:*:*:*", "matchCriteriaId": "50D1B02A-F5F9-48EB-A396-412821F5D602", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert6:*:*:*:*:*:*", "matchCriteriaId": "4CBB2891-448F-4C4E-8A47-2283A8F71FE6", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert7:*:*:*:*:*:*", "matchCriteriaId": "A9AF30E9-FC50-4A5C-BC99-9B3394488B9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert8:*:*:*:*:*:*", "matchCriteriaId": "1A41366F-EA16-4867-A198-ACFFE5AFEA9A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."}], "id": "CVE-2026-23741", "lastModified": "2026-02-18T18:42:31.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 0.0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 0.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-06T17:16:26.427", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T22:40:31.043237+00:00", "value": {"mitigation_remediation": ["Upgrade Asterisk to at least version 20.7-cert9 or later to incorporate the vendor patch. ", "Ensure that /etc/asterisk/ast_debug_tools.conf is not world\u2011writable; set permissions to 600 or as appropriate and confirm ownership by the asterisk user. ", "If an upgrade is not immediately possible, remove the source stanza from ast_coredumper or rewrite the script to ignore the configuration file entirely to prevent accidental execution of untrusted data."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Asterisk versions prior to 20.7\u2011cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2 are affected. All installations that include the asterisk/contrib/scripts/ast_coredumper utility and that run as root pose risk if the configuration directory is writable by the asterisk user.", "description_and_impact": "The ast_coredumper script runs with root privileges and sources a configuration file that is normally owned by the asterisk user and group. Because that file is writable by non\u2011privileged users, an attacker can inject arbitrary Bash code that will be executed by the root process. This flaw allows the attacker to gain full system privileges, compromising confidentiality, integrity, and availability of the host. The weakness is classified as CWE\u2011427, indicating an improper privilege escalation due to unsanitized path or executable sourcing.", "risk_and_exploitability": "The vulnerability carries a high exploitation potential for any user with write access to /etc/asterisk/ast_debug_tools.conf. The EPSS score is reported as less than 1\u202f%, indicating a very low likelihood of widespread observation, but the impact of exploitation is severe. The issue is not listed in the CISA KEV catalog, so no widespread exploits are currently known. Attackers would need local or remote means to modify the configuration file; once that is achieved, running the ast_coredumper will execute the attacker\u2019s code as root."}}}}, "created": "2026-02-09T10:50:30.471526+00:00", "updated": "2026-04-17T22:45:29.937668+00:00", "vendors": ["asterisk", "asterisk$PRODUCT$asterisk"]}