CVE-2026-23740
📋 TL;DR
This vulnerability in Asterisk allows local attackers to escalate privileges to root by exploiting insecure temporary file handling in the ast_coredumper component. Any Asterisk installation running vulnerable versions on Linux systems with world-writable directories like /tmp is affected. The attacker must have local access to the system.
💻 Affected Systems
- Asterisk
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full root compromise allowing arbitrary command execution, file system modification, and complete system takeover.
Likely Case
Local privilege escalation from any user account to root, enabling installation of backdoors, data theft, or lateral movement.
If Mitigated
Limited impact if proper directory permissions are enforced and SELinux/AppArmor restricts write access to critical directories.
🎯 Exploit Status
Exploitation requires local access but is straightforward once the attacker can write to the target directory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, or 23.2.2
Vendor Advisory: https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c
Restart Required: Yes
Instructions:
1. Identify your Asterisk version. 2. Upgrade to patched version matching your release stream. 3. Restart Asterisk service. 4. Verify the fix by checking version and testing core dump functionality.
🔧 Temporary Workarounds
Secure temporary directory permissions
linuxChange permissions on /tmp or other world-writable directories to prevent unauthorized writes
chmod 1777 /tmp
chmod 1777 /var/tmp
Configure secure tmp directory for Asterisk
linuxConfigure Asterisk to use a non-world-writable directory for core dumps
Edit asterisk.conf: set 'astcoredir = /var/lib/asterisk/coredumps'
mkdir -p /var/lib/asterisk/coredumps
chmod 700 /var/lib/asterisk/coredumps
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized local user accounts
- Deploy SELinux or AppArmor policies to restrict Asterisk's file system access
🔍 How to Verify
Check if Vulnerable:
Check Asterisk version: asterisk -rx 'core show version' and compare against vulnerable versions listCheck Version:
asterisk -rx 'core show version' | grep 'Asterisk'Verify Fix Applied:
Confirm version is 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, or 23.2.2 or newer📡 Detection & Monitoring
Log Indicators:
- Unauthorized writes to /tmp/asterisk-gdb-* files
- Suspicious gdb command execution by asterisk user
Network Indicators:
- None - local exploitation only
SIEM Query:
process.name:gdb AND parent.name:asterisk AND command_line:*tmp*