CVE-2026-23740

Low

Published: 06 February 2026

Published

06 February 2026

Modified

10 February 2026

KEV Added

—

Patch

—

CVSS Score 0.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N

EPSS Score 0.0002 3.8th percentile

Risk Priority 0 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23740 is a uncategorised-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Sangoma Certified Asterisk. Its CVSS base score is 0.0.

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068).

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Local untrusted search path flaw in privileged ast_coredumper directly enables arbitrary command execution as root, mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker…

with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

Deeper analysisAI

CVE-2026-23740 is a vulnerability in Asterisk, an open source private branch exchange and telephony toolkit. It affects the ast_coredumper component, which writes gdb init and output files to world-writable directories such as /tmp in versions prior to 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. The flaw, classified as CWE-427 (Untrusted Search Path), allows manipulation of these file paths when the directory permits writes from unprivileged users.

Any local user on a Linux system with write access to the target directory, such as /tmp, can exploit the vulnerability. By controlling the gdb init file and output paths, the attacker can trick the root-privileged ast_coredumper into executing arbitrary commands or overwriting arbitrary files. The CVSS v3.1 base score is 0.0 (AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N), indicating a local attack with low complexity, no privileges required, user interaction needed, and changed scope but no direct confidentiality, integrity, or availability impact.

The official Asterisk security advisory at https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c confirms the issue has been addressed in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. Practitioners should upgrade affected installations to these patched releases to prevent exploitation.

Details

CWE(s): CWE-427

Affected Products

sangoma

certified asterisk

13.13.0, 16.8, 16.8.0, 18.9, 20.7

sangoma

asterisk

≤ 20.18.2 · 21.0.0 — 21.12.1 · 22.0.0 — 22.8.2

CVEs Like This One

CVE-2026-23741Same product: Sangoma Asterisk

CVE-2024-57520Same product: Sangoma Asterisk

CVE-2026-2360Shared CWE-427

CVE-2025-55210Same vendor: Sangoma

CVE-2026-2361Shared CWE-427

CVE-2026-42171Shared CWE-427

CVE-2026-4134Shared CWE-427

CVE-2026-3775Shared CWE-427

CVE-2025-24998Shared CWE-427

CVE-2024-9497Shared CWE-427

References

https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c
Vendor Advisory · security-advisories@github.com