Main Vulnerability Database Vulnerabilities #VU135537

Heap-based buffer overflow in Asterisk Open Source and Certified Asterisk - CVE-2026-57197

Published: June 26, 2026

Vulnerability identifier: #VU135537

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-57197

CWE-ID: CWE-122

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Digium (Linux Support Services)

Affected software:
Asterisk Open Source
Certified Asterisk

Detailed vulnerability description

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a heap-based buffer overflow in format_ogg_speex when processing a crafted OGG/Speex audio file. A local user can provide a file containing corrupted speex data to cause a denial of service.

Asterisk must be configured to play the file, and exploitation requires the ability to make the crafted file available to the system or to convince an administrator to do so.

How to mitigate CVE-2026-57197

Install security update from vendor's website.

Sources

https://github.com/asterisk/asterisk/security/advisories/GHSA-8jhw-m2hg-vp3h

Heap-based buffer overflow in Asterisk Open Source and Certified Asterisk - CVE-2026-57197

Detailed vulnerability description

How to mitigate CVE-2026-57197

Sources

Please verify you're human