CVE-2026-23740
NONESangoma Certified Asterisk - Uncontrolled Search Path Element via World-Writable Directory
Title source: llmDescription
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c
Scores
CVSS v3
0.0
EPSS
0.0011
EPSS Percentile
1.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-427
Status
published
Products (5)
sangoma/asterisk
< 20.18.2
sangoma/certified_asterisk
13.13.0 (10 CPE variants)
sangoma/certified_asterisk
16.8 cert1-rc1 (14 CPE variants)
sangoma/certified_asterisk
16.8.0 (13 CPE variants)
sangoma/certified_asterisk
18.9 (12 CPE variants)
Published
Feb 06, 2026
Tracked Since
Feb 18, 2026