CVE-2022-26498
HIGHAsterisk < 16.25.1 - Uncontrolled Resource Consumption via STIR/SHAKEN File Download
Title source: llmDescription
An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2.
References (6)
Core 6
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
Third Party Advisory vendor-advisory
https://www.debian.org/security/2022/dsa-5285
Patch, Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/166744/Asterisk-Project-Security-Advisory-AST-2022-001.html
Vendor Advisory
https://downloads.asterisk.org/pub/security/
Patch, Vendor Advisory
https://downloads.asterisk.org/pub/security/AST-2022-001.html
Exploit, Third Party Advisory
http://packetstormsecurity.com/files/172139/Shannon-Baseband-chatroom-SDP-Attribute-Memory-Corruption.html
Scores
CVSS v3
7.5
EPSS
0.0077
EPSS Percentile
73.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-400
Status
published
Products (3)
debian/debian_linux
10.0
debian/debian_linux
11.0
digium/asterisk
16.15.0 - 16.25.1
Published
Apr 15, 2022
Tracked Since
Feb 18, 2026