Executive Summary

CVE-2026-23740 is a vulnerability in the ast_coredumper component of the Asterisk software. The issue occurs because ast_coredumper runs with root privileges and writes GDB initialization files and output files to a world-writable directory, such as /tmp. Since all users on a Linux system can write to this directory, an attacker can manipulate the GDB init file or output paths to execute arbitrary commands or overwrite files as root.

The vulnerability arises from the fact that GDB initialization files can contain commands that get executed by GDB. An attacker can pre-create or modify the /tmp/.gdbinit file or race the script to change it before GDB runs, leading to privilege escalation. Additionally, the script uses a trap command to delete the gdb init file on exit, which can be exploited to delete arbitrary files.

This vulnerability has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2 of Asterisk.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a local attacker with write access to a world-writable directory to escalate their privileges to root by manipulating GDB initialization files executed by the ast_coredumper process running as root.

The attacker can execute arbitrary commands with root privileges or overwrite arbitrary files, potentially compromising the entire system.

Additionally, the attacker can exploit the deletion mechanism of the gdb init file to delete arbitrary files, further increasing the potential damage.

However, the vulnerability is rated with low severity and a CVSS v3.1 base score of 0.0, indicating that exploitation requires local access and user interaction, and it does not impact confidentiality, integrity, or availability directly.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the ast_coredumper component of Asterisk is writing GDB initialization files and output files to a world-writable directory such as /tmp.

You can verify the permissions of the directory where ast_coredumper writes its files to see if it is world-writable, which would allow exploitation.

• Run: ls -ld /tmp
• Check for the presence of .gdbinit files or symlinks in /tmp: ls -l /tmp/.gdbinit
• Verify the version of Asterisk installed to determine if it is vulnerable: asterisk -V

If the directory is world-writable and the Asterisk version is prior to the patched versions (20.7-cert9, 20.18.2, 21.12.1, 22.8.2, or 23.2.2), the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Asterisk to one of the patched versions: 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, or 23.2.2.

Additionally, restrict write permissions on the directory where ast_coredumper writes its gdb init and output files, typically /tmp, to prevent unprivileged users from modifying or creating malicious files.

• Change permissions on /tmp or configure ast_coredumper to use a non-world-writable directory.
• Monitor and remove any suspicious .gdbinit files or symlinks in the writable directory.

These steps help prevent attackers from exploiting the vulnerability by controlling the gdb init file and output paths.

Useful 0 Not Useful 0