Bug#1127438: asterisk: CVE-2026-23738 CVE-2026-23739 CVE-2026-23740 CVE-2026-23741

Salvatore Bonaccorso carnil at debian.org
Sun Feb 8 18:21:05 GMT 2026 

Source: asterisk
Version: 1:22.8.0+dfsg+~cs6.15.60671435-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerabilities were published for asterisk.

CVE-2026-23738[0]:
| Asterisk is an open source private branch exchange and telephony
| toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and
| 23.2.2, user supplied/control values for Cookies and any GET
| variable query Parameter are directly interpolated into the HTML of
| the page using ast_str_append. The endpoint at GET /httpstatus is
| the potential vulnerable endpoint relating to asterisk/main /http.c.
| This issue has been patched in versions 20.7-cert9, 20.18.2,
| 21.12.1, 22.8.2, and 23.2.2.


CVE-2026-23739[1]:
| Asterisk is an open source private branch exchange and telephony
| toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and
| 23.2.2, the ast_xml_open() function in xml.c parses XML documents
| using libxml with unsafe parsing options that enable entity
| expansion and XInclude processing. Specifically, it invokes
| xmlReadFile() with the XML_PARSE_NOENT flag and later processes
| XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied
| XML file is passed to this function, it can allow an attacker to
| trigger XML External Entity (XXE) or XInclude-based local file
| disclosure, potentially exposing sensitive files from the host
| system. This can also be triggered in other cases in which the user
| is able to supply input in xml format that triggers the asterisk
| process to parse it. This issue has been patched in versions
| 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.


CVE-2026-23740[2]:
| Asterisk is an open source private branch exchange and telephony
| toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and
| 23.2.2, when ast_coredumper writes its gdb init and output files to
| a directory that is world-writable (for example /tmp), an attacker
| with write permission(which is all users on a linux system) to that
| directory can cause root to execute arbitrary commands or overwrite
| arbitrary files by controlling the gdb init file and output paths.
| This issue has been patched in versions 20.7-cert9, 20.18.2,
| 21.12.1, 22.8.2, and 23.2.2.


CVE-2026-23741[3]:
| Asterisk is an open source private branch exchange and telephony
| toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and
| 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as
| noted by the NOTES tag on line 689 of the ast_coredumper file. The
| script will source the contents of
| /etc/asterisk/ast_debug_tools.conf, which resides in a folder that
| is writeable by the asterisk user:group. Due to the
| /etc/asterisk/ast_debug_tools.conf file following bash semantics and
| it being loaded; an attacker with write permissions may add or
| modify the file such that when the root ast_coredumper is run; it
| would source and thereby execute arbitrary bash code found in the
| /etc/asterisk/ast_debug_tools.conf. This issue has been patched in
| versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-23738
    https://www.cve.org/CVERecord?id=CVE-2026-23738
[1] https://security-tracker.debian.org/tracker/CVE-2026-23739
    https://www.cve.org/CVERecord?id=CVE-2026-23739
[2] https://security-tracker.debian.org/tracker/CVE-2026-23740
    https://www.cve.org/CVERecord?id=CVE-2026-23740
[3] https://security-tracker.debian.org/tracker/CVE-2026-23741
    https://www.cve.org/CVERecord?id=CVE-2026-23741

FWIW, yes CVE-2026-23739 would not warrant even an important severity
bug, as asterisk does not allow untrusted or user-supplied XML to be
used, but I'm just filling here one bug for all four new CVEs.

Regards,
Salvatore

More information about the Pkg-voip-maintainers mailing list