Cyber Resilience

CVE-2026-23740

Low

Published: 06 February 2026

Published
06 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v3.1 0.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
EPSS Score 0.0002 6.2th percentile
Risk Priority 0 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23740 is a uncategorised-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Sangoma Certified Asterisk. Its CVSS base score is 0.0.

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23740 is a vulnerability in Asterisk, an open source private branch exchange and telephony toolkit. It affects the ast_coredumper component, which writes gdb init and output files to world-writable directories such as /tmp in versions prior to 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. The flaw, classified as CWE-427 (Untrusted Search Path), allows manipulation of these file paths when the directory permits writes from unprivileged users.

Any local user on a Linux system with write access to the target directory, such as /tmp, can exploit the vulnerability. By controlling the gdb init file and output paths, the attacker can trick the root-privileged ast_coredumper into executing arbitrary commands or overwriting arbitrary files. The CVSS v3.1 base score is 0.0 (AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N), indicating a local attack with low complexity, no privileges required, user interaction needed, and changed scope but no direct confidentiality, integrity, or availability impact.

The official Asterisk security advisory at https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c confirms the issue has been addressed in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. Practitioners should upgrade affected installations to these patched releases to prevent exploitation.

EU & UK References

Vulnerability details

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker…

more

with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local untrusted search path flaw in privileged ast_coredumper directly enables arbitrary command execution as root, mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23741Same product: Sangoma Asterisk
CVE-2024-57520Same product: Sangoma Asterisk
CVE-2026-42171Shared CWE-427
CVE-2026-4134Shared CWE-427
CVE-2026-2361Shared CWE-427
CVE-2026-2360Shared CWE-427
CVE-2025-55210Same vendor: Sangoma
CVE-2024-9495Shared CWE-427
CVE-2026-24502Shared CWE-427
CVE-2025-48503Shared CWE-427

Affected Assets

sangoma
certified asterisk
13.13.0, 16.8, 16.8.0, 18.9, 20.7
sangoma
asterisk
≤ 20.18.2 · 21.0.0 — 21.12.1 · 22.0.0 — 22.8.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patches (20.7-cert9 and later) that close the untrusted search path in ast_coredumper.

prevent

Requires ast_coredumper to execute with only the privileges needed to write core files, eliminating the ability for an unprivileged user to cause root-level command execution.

prevent

Enforces secure configuration settings such as a non-world-writable directory for gdb init/output files instead of /tmp.

References