CVE-2026-23741 – Asterisk's ast_coredumper script runs with root... (How to Fix)

Q: What is the severity of CVE-2026-23741?

CVE-2026-23741 has a CVSS score of 0.0 (NONE). Asterisk's ast_coredumper script runs with root privileges and sources a configuration file that can be modified by the asterisk user. This allows an attacker with write access to the asterisk user account to execute arbitrary code as root when the script runs. Affects Asterisk installations prior to patched versions.

📋 TL;DR

Asterisk's ast_coredumper script runs with root privileges and sources a configuration file that can be modified by the asterisk user. This allows an attacker with write access to the asterisk user account to execute arbitrary code as root when the script runs. Affects Asterisk installations prior to patched versions.

💻 Affected Systems

Products:

Asterisk

Versions: All versions prior to 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable when ast_coredumper script is present and /etc/asterisk/ast_debug_tools.conf is writable by asterisk user.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full root compromise of the Asterisk server, allowing complete system takeover, data exfiltration, and lateral movement.

🟠

Likely Case

Privilege escalation from asterisk user to root, enabling installation of backdoors, modification of system files, and persistence.

🟢

If Mitigated

Limited to asterisk user compromise if proper file permissions and user isolation are implemented.

🌐 Internet-Facing: LOW - Requires existing asterisk user compromise, typically not directly internet-accessible.

🏢 Internal Only: MEDIUM - Internal attackers with asterisk user access can escalate to root, but requires initial access to that account.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires write access to asterisk user account. Exploitation is straightforward once that access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, or 23.2.2

Vendor Advisory: https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3

Restart Required: No

Instructions:

1. Identify your Asterisk version. 2. Upgrade to patched version: 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, or 23.2.2. 3. Verify the fix by checking version and file permissions.

🔧 Temporary Workarounds

Restrict file permissions

linux

Remove write permissions for asterisk user on the configuration file

chmod 640 /etc/asterisk/ast_debug_tools.conf
chown root:asterisk /etc/asterisk/ast_debug_tools.conf

Remove vulnerable script

linux

Delete or disable the ast_coredumper script if not needed

rm /usr/sbin/ast_coredumper
chmod 000 /usr/sbin/ast_coredumper

🧯 If You Can't Patch

Restrict asterisk user permissions to prevent write access to /etc/asterisk directory
Implement strict access controls and monitoring for asterisk user account

🔍 How to Verify

Check if Vulnerable:

Check Asterisk version and verify ast_coredumper script exists with root permissions: ls -la /usr/sbin/ast_coredumper

Check Version:

asterisk -V | grep 'Asterisk'

Verify Fix Applied:

Confirm Asterisk version is patched and /etc/asterisk/ast_debug_tools.conf has proper permissions (not writable by asterisk user)

📡 Detection & Monitoring

Log Indicators:

Unexpected execution of ast_coredumper script
Modifications to /etc/asterisk/ast_debug_tools.conf file

Network Indicators:

None specific to this vulnerability

SIEM Query:

process.name:"ast_coredumper" OR file.path:"/etc/asterisk/ast_debug_tools.conf" AND event.action:"modify"

📊 Metadata

CVE ID: CVE-2026-23741

CVSS v3 Score: 0.0 (NONE)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N

CWE: CWE-427

EPSS Score: 0.02% exploit probability (5th percentile)

Published: February 6, 2026

Last Updated: February 18, 2026

🔗 References

https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23741, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Asterisk by Sangoma

Asterisk by Sangoma

Asterisk by Sangoma

Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

Certified Asterisk by Sangoma

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict file permissions

Remove vulnerable script

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities