{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23740", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-15T15:45:01.958Z", "datePublished": "2026-02-06T16:43:41.330Z", "dateUpdated": "2026-02-06T19:11:55.655Z"}, "containers": {"cna": {"title": "Asterisk vulnerable to potential privilege escalation", "problemTypes": [{"descriptions": [{"cweId": "CWE-427", "lang": "en", "description": "CWE-427: Uncontrolled Search Path Element", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c"}], "affected": [{"vendor": "asterisk", "product": "asterisk", "versions": [{"version": "< 23.2.2", "status": "affected"}, {"version": "< 22.8.2", "status": "affected"}, {"version": "< 21.12.1", "status": "affected"}, {"version": "< 20.18.2", "status": "affected"}, {"version": "< 20.7-cert9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T16:43:52.278Z"}, "descriptions": [{"lang": "en", "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."}], "source": {"advisory": "GHSA-xpc6-x892-v83c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T19:11:52.277402Z", "id": "CVE-2026-23740", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T19:11:55.655Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-23740", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-06T19:11:52.277402Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T17:33:48.909Z"}}], "cna": {"title": "Asterisk vulnerable to potential privilege escalation", "source": {"advisory": "GHSA-xpc6-x892-v83c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 0, "attackVector": "LOCAL", "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "asterisk", "product": "asterisk", "versions": [{"status": "affected", "version": "< 23.2.2"}, {"status": "affected", "version": "< 22.8.2"}, {"status": "affected", "version": "< 21.12.1"}, {"status": "affected", "version": "< 20.18.2"}, {"status": "affected", "version": "< 20.7-cert9"}]}], "references": [{"url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c", "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-427", "description": "CWE-427: Uncontrolled Search Path Element"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T16:43:52.278Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23740", "state": "PUBLISHED", "dateUpdated": "2026-02-06T19:11:55.655Z", "dateReserved": "2026-01-15T15:45:01.958Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T16:43:41.330Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."}], "id": "CVE-2026-23740", "lastModified": "2026-02-06T21:57:22.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 0.0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 0.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-06T17:16:26.290", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "Asterisk: Asterisk: Arbitrary code execution and file overwrite as root via insecure ast_coredumper file handling", "id": "2437723", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437723"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-379", "details": ["Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.", "A flaw was found in Asterisk. When the ast_coredumper writes its gdb init and output files to a world-writable directory, a local attacker with write permissions to that directory can exploit this vulnerability. By manipulating the gdb init file and output paths, the attacker can cause the system to execute arbitrary commands as root or overwrite arbitrary files, leading to privilege escalation and potential system compromise."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, configure Asterisk's ast_coredumper to write its gdb initialization and output files to a directory with restricted permissions, preventing unprivileged users from modifying them. Ensure the chosen directory is not world-writable. Consult Asterisk documentation for specific configuration parameters related to ast_coredumper output paths. A restart of the Asterisk service may be required for changes to take effect."}, "name": "CVE-2026-23740", "public_date": "2026-02-06T16:43:41Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23740\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23740\nhttps://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c"], "statement": "This IMPORTANT vulnerability in Asterisk allows a local attacker to achieve privilege escalation. When the `ast_coredumper` writes to a world-writable directory, such as `/tmp`, a local user can manipulate the GDB init and output files. This manipulation can lead to the execution of arbitrary commands as root or the overwriting of arbitrary files. This affects Asterisk packages in Red Hat Community Projects, including EPEL 8, EPEL 9, Fedora 42, and Fedora 43.", "threat_severity": "Important"}