CVE-2026-23740

NONE

Sangoma Certified Asterisk < 20.18.2 - Uncontrolled Search Path

Title source: rule

Description

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

References (1)

[Vendor Advisory] https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c

Scores

CVSS v3 0.0

EPSS 0.0002

EPSS Percentile 3.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-427

Status published

Products (5)

sangoma/asterisk < 20.18.2

sangoma/certified_asterisk 13.13.0 (10 CPE variants)

sangoma/certified_asterisk 16.8 cert1-rc1 (14 CPE variants)

sangoma/certified_asterisk 16.8.0 (13 CPE variants)

sangoma/certified_asterisk 18.9 (12 CPE variants)

Published Feb 06, 2026

Tracked Since Feb 18, 2026