SB20260626110 - Multiple vulnerabilities in Asterisk

Security Bulletin ID SB20260626110

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 20

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 20 vulnerabilities.

1) Untrusted search path (CVE-ID: CVE-2026-57203)

CWE-ID: CWE-426 - Untrusted Search Path

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to untrusted search path in the ast_loggrabber script when executing a python script from the /tmp directory. A local user can place a malicious script in /tmp to escalate privileges.

Exploitation requires prior shell access on the Asterisk server and an administrator to run the ast_loggrabber script with elevated privileges.

2) Improper Neutralization of Special Elements in Data Query Logic (CVE-ID: CVE-2026-57193)

CWE-ID: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper neutralization of special elements in data query logic in the res_config_ldap realtime driver when processing crafted SIP packets containing a SIP username. A remote attacker can send specially crafted SIP packets to disclose sensitive information.

The issue is exposed only when the res_config_ldap module is loaded and configured to access an LDAP server.

3) SQL injection (CVE-ID: CVE-2026-57190)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in the CELGenUserEvent eventtype field in the cel_pgsql and cel_tds Channel Event Log backends when processing untrusted event data. A remote user can supply a crafted eventtype value to execute arbitrary SQL commands.

The issue is exposed only when the cel_pgsql or cel_tds backend is loaded and configured and the dialplan uses the CELGenUserEvent application.

4) Heap-based buffer overflow (CVE-ID: CVE-2026-57197)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a heap-based buffer overflow in format_ogg_speex when processing a crafted OGG/Speex audio file. A local user can provide a file containing corrupted speex data to cause a denial of service.

Asterisk must be configured to play the file, and exploitation requires the ability to make the crafted file available to the system or to convince an administrator to do so.

5) Stack-based buffer overflow (CVE-ID: CVE-2026-57191)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a stack-based buffer overflow in Message-Account parsing in res_pjsip_pubsub when handling a crafted MWI NOTIFY packet. A remote attacker can send a carefully crafted packet to cause a denial of service.

The issue can corrupt the underlying transport and permanently disable SIP functionality until the service is restarted.

6) Stack-based buffer overflow (CVE-ID: CVE-2026-57188)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to stack-based buffer overflow in res_xmpp XMPP namespace prefix handling when processing carefully crafted XMPP packets. A remote user can send specially crafted XMPP packets to cause a denial of service.

The res_xmpp module must be loaded, an XMPP connection must be configured in xmpp.conf, and the attacker must have an XMPP account on the same or a federated server.

7) Out-of-bounds write (CVE-ID: CVE-2026-57199)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to corrupt memory or cause a denial of service.

The vulnerability exists due to out-of-bounds write in app_sms when processing externally controlled SMS lengths. A remote attacker can supply crafted SMS length values to corrupt memory or cause a denial of service.

The issue is exposed only when the SMS dialplan application is explicitly used for routing calls to or from analog devices.

8) NULL pointer dereference (CVE-ID: CVE-2026-57195)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a null pointer dereference in the http ami digest authentication handler when processing crafted HTTP requests for AMI digest authentication. A remote attacker can send a specially crafted HTTP request to cause a denial of service.

The issue is exploitable only when the Asterisk HTTP web server is enabled, the Asterisk Manager Interface is enabled, and access to the AMI via HTTP is enabled.

9) Stack-based buffer overflow (CVE-ID: CVE-2026-57201)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to stack-based buffer overflow in the H.323 ooh323c_trace function when processing a crafted H.323 packet. A remote attacker can send a specially crafted packet to cause a denial of service.

Only systems with the chan_ooh323 addon channel driver explicitly compiled and installed are vulnerable.

10) Out-of-bounds write (CVE-ID: CVE-2026-57192)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to out-of-bounds write in the Codec2 decoder when processing carefully crafted Codec2 audio packets during a call. A remote user can send crafted Codec2 audio packets to cause a denial of service.

The codec_codec2 module must be loaded, the codec2 codec must be configured on the attacked endpoint, and user authentication is required to establish a call using the codec.

11) Cross-site scripting (CVE-ID: CVE-2026-57196)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser and impersonate an authorized user.

The vulnerability exists due to cross-site scripting in Phone Provisioning HTTP error pages when handling crafted HTTP requests. A remote attacker can send a malicious link to a victim to execute arbitrary script in the victim's browser and impersonate an authorized user.

User interaction is required, and exploitation is possible only when the res_phoneprov module is enabled and the HTTP server and AMI over HTTP are enabled.

12) Buffer over-read (CVE-ID: CVE-2026-57185)

CWE-ID: CWE-126 - Buffer over-read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to out-of-bounds read in the PJSIP MWI body parser when handling a crafted SIP NOTIFY request. A remote user can send a specially crafted SIP NOTIFY request to cause a denial of service.

The attacker must be able to pass SIP authentication either by username and password or by source IP address matching.

13) Heap-based buffer overflow (CVE-ID: CVE-2026-57198)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code or cause a denial of service.

The vulnerability exists due to heap-based buffer overflow in the T.140 RED handling in chan_sip when processing carefully crafted packets. A remote user can send specially crafted packets to execute arbitrary code or cause a denial of service.

Only systems using the chan_sip channel driver with the textsupport option enabled are vulnerable.

14) Out-of-bounds write (CVE-ID: CVE-2026-57189)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code or cause a denial of service.

The vulnerability exists due to out-of-bounds write in T.140 RED generation handling when processing carefully crafted packets. A remote user can send carefully crafted packets to execute arbitrary code or cause a denial of service.

Only systems using the chan_sip channel driver with the textsupport option enabled are vulnerable.

15) Insufficient Granularity of Access Control (CVE-ID: CVE-2026-57202)

CWE-ID: CWE-1220 - Insufficient Granularity of Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to perform unauthorized file writes.

The vulnerability exists due to insufficient granularity of access control in the ARI setChannelVar functionality when handling requests to set channel variables using the FILE() dialplan function. A remote user can send a specially crafted request to perform unauthorized file writes.

The Asterisk HTTP webserver must be enabled, and the issue is reachable only if the attacker can connect to that server. Valid read-only ARI credentials are required.

16) Out-of-bounds read (CVE-ID: CVE-2026-57184)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds read in the chan_ooh323 Q.931 information element parser when processing crafted setup packets. A remote attacker can send specially crafted setup packets to cause a denial of service.

The chan_ooh323 addon channel driver must be explicitly compiled and installed, and the port used by chan_ooh323 must be open to the public.

17) Use-after-free (CVE-ID: CVE-2026-57187)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to use-after-free in PJSIP TCP/SDP handling when processing a SIP INVITE over a connection-oriented transport and the TCP connection closes during SDP processing. A remote user can send a specially crafted SIP INVITE and disconnect before Asterisk responds with the 200 OK to cause a denial of service.

The issue has only been reproduced when Address Sanitizer is enabled.

18) Path traversal (CVE-ID: CVE-2026-57200)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute write operations and conditionally execute arbitrary code.

The vulnerability exists due to improper access control and path traversal in the ARI REST-over-WebSocket feature when handling authenticated WebSocket requests. A remote user can send crafted requests to load an arbitrary module path and execute write operations and conditionally execute arbitrary code.

The Asterisk HTTP web server must be enabled, and the attacker must be able to connect to it. The issue affects read-only ARI credentials.

19) Out-of-bounds write (CVE-ID: CVE-2026-57194)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to out-of-bounds write in the chan_unistim DIALPAGE digit handling for the phone_number buffer when processing a crafted incoming UNISTIM request packet. A remote user can send a carefully crafted incoming request packet to cause a denial of service.

The chan_unistim module must be loaded and configured with a valid UNISTIM UDP port, and exploitation requires registering as a configured phone MAC or using an equivalent provisioning path that allows a client to reach the main page.

20) Numeric Range Comparison Without Minimum Check (CVE-ID: CVE-2026-57186)

CWE-ID: CWE-839 - Numeric Range Comparison Without Minimum Check

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to numeric range comparison without minimum check in the chan_ooh323 Q.931 party-number parser when parsing malformed Q.931 elements in an OOH323 request. A remote attacker can send a specially crafted OOH323 request to cause a denial of service.

Only systems with the chan_ooh323 addon channel driver explicitly compiled and installed are vulnerable.

Remediation

Install update from vendor's website.

SB20260626110 - Multiple vulnerabilities in Asterisk

Breakdown by Severity

Description

Remediation

References

Please verify you're human