CVE-2026-23741
Unknown Unknown - Not Provided
Privilege Escalation via Writable Config in Asterisk ast_coredumper

Publication date: 2026-02-06

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23741
EUVD
EUVD-2026-5648
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk to 18.9 (inc)
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma asterisk to 20.18.2 (exc)
sangoma asterisk From 21.0.0 (inc) to 21.12.1 (exc)
sangoma asterisk From 22.0.0 (inc) to 22.8.2 (exc)
sangoma asterisk From 23.0.0 (inc) to 23.2.2 (exc)
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23741 is a local privilege escalation vulnerability in the Asterisk telephony software. The issue arises because the ast_coredumper script runs with root privileges and sources a configuration file, /etc/asterisk/ast_debug_tools.conf, which is located in a directory writable by the non-privileged asterisk user:group. An attacker with write access to this file can insert malicious bash code. When the ast_coredumper script runs as root, it executes this attacker-controlled code, resulting in arbitrary code execution with root privileges.

Impact Analysis

This vulnerability allows an attacker with local access and the ability to write to the /etc/asterisk/ast_debug_tools.conf file to escalate their privileges to root. This means the attacker can execute arbitrary commands with root-level permissions, potentially taking full control of the affected system.

Compliance Impact

I don't know

Detection Guidance

To detect this vulnerability on your system, you should check the permissions of the /etc/asterisk/ast_debug_tools.conf file and the /etc/asterisk directory to see if they are writable by the asterisk user:group. If the asterisk user can write to this configuration file, the system is vulnerable.

  • Run the command: ls -l /etc/asterisk/ast_debug_tools.conf to check the file permissions.
  • Run the command: ls -ld /etc/asterisk to check the directory permissions.
  • Verify if the ast_coredumper script is present and runs as root: ls -l $(which ast_coredumper) or check the script location at asterisk/contrib/scripts/ast_coredumper.

If the file or directory is writable by the asterisk user, an attacker with access to that user could modify the configuration file to execute arbitrary code with root privileges.

Mitigation Strategies

Immediate mitigation steps include restricting write permissions on the /etc/asterisk/ast_debug_tools.conf file and the /etc/asterisk directory so that the asterisk user:group cannot modify them.

  • Change ownership and permissions of /etc/asterisk/ast_debug_tools.conf to root only, for example: sudo chown root:root /etc/asterisk/ast_debug_tools.conf and sudo chmod 644 /etc/asterisk/ast_debug_tools.conf.
  • Restrict the /etc/asterisk directory permissions to prevent write access by the asterisk user: sudo chown root:root /etc/asterisk and sudo chmod 755 /etc/asterisk.

Additionally, upgrade Asterisk to one of the fixed versions: 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, or 23.2.2, where this vulnerability has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23741. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart