CVE-2026-23741
Privilege Escalation via Writable Config in Asterisk ast_coredumper
Publication date: 2026-02-06
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sangoma | certified_asterisk | 20.7 |
| sangoma | certified_asterisk | 20.7 |
| sangoma | certified_asterisk | 20.7 |
| sangoma | certified_asterisk | 20.7 |
| sangoma | certified_asterisk | 20.7 |
| sangoma | certified_asterisk | 20.7 |
| sangoma | certified_asterisk | to 18.9 (inc) |
| sangoma | certified_asterisk | 20.7 |
| sangoma | certified_asterisk | 20.7 |
| sangoma | asterisk | to 20.18.2 (exc) |
| sangoma | asterisk | From 21.0.0 (inc) to 21.12.1 (exc) |
| sangoma | asterisk | From 22.0.0 (inc) to 22.8.2 (exc) |
| sangoma | asterisk | From 23.0.0 (inc) to 23.2.2 (exc) |
| sangoma | certified_asterisk | 20.7 |
| sangoma | certified_asterisk | 20.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23741 is a local privilege escalation vulnerability in the Asterisk telephony software. The issue arises because the ast_coredumper script runs with root privileges and sources a configuration file, /etc/asterisk/ast_debug_tools.conf, which is located in a directory writable by the non-privileged asterisk user:group. An attacker with write access to this file can insert malicious bash code. When the ast_coredumper script runs as root, it executes this attacker-controlled code, resulting in arbitrary code execution with root privileges.
How can this vulnerability impact me? :
This vulnerability allows an attacker with local access and the ability to write to the /etc/asterisk/ast_debug_tools.conf file to escalate their privileges to root. This means the attacker can execute arbitrary commands with root-level permissions, potentially taking full control of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability on your system, you should check the permissions of the /etc/asterisk/ast_debug_tools.conf file and the /etc/asterisk directory to see if they are writable by the asterisk user:group. If the asterisk user can write to this configuration file, the system is vulnerable.
- Run the command: ls -l /etc/asterisk/ast_debug_tools.conf to check the file permissions.
- Run the command: ls -ld /etc/asterisk to check the directory permissions.
- Verify if the ast_coredumper script is present and runs as root: ls -l $(which ast_coredumper) or check the script location at asterisk/contrib/scripts/ast_coredumper.
If the file or directory is writable by the asterisk user, an attacker with access to that user could modify the configuration file to execute arbitrary code with root privileges.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting write permissions on the /etc/asterisk/ast_debug_tools.conf file and the /etc/asterisk directory so that the asterisk user:group cannot modify them.
- Change ownership and permissions of /etc/asterisk/ast_debug_tools.conf to root only, for example: sudo chown root:root /etc/asterisk/ast_debug_tools.conf and sudo chmod 644 /etc/asterisk/ast_debug_tools.conf.
- Restrict the /etc/asterisk directory permissions to prevent write access by the asterisk user: sudo chown root:root /etc/asterisk and sudo chmod 755 /etc/asterisk.
Additionally, upgrade Asterisk to one of the fixed versions: 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, or 23.2.2, where this vulnerability has been patched.