CVE-2026-23741
Published: 06 February 2026
Summary
CVE-2026-23741 is a uncategorised-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Sangoma Certified Asterisk. Its CVSS base score is 0.0.
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-23741 affects Asterisk, an open source private branch exchange and telephony toolkit, specifically in versions prior to 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. The vulnerability (CWE-427: Untrusted Search Path) resides in the asterisk/contrib/scripts/ast_coredumper script, which executes as root and sources the contents of /etc/asterisk/ast_debug_tools.conf. This configuration file follows bash semantics and is located in a directory writable by the asterisk user:group.
A local attacker with write access to /etc/asterisk/ast_debug_tools.conf can modify or inject arbitrary bash code into the file. When the root-privileged ast_coredumper script runs, it sources the tampered file, resulting in execution of the attacker's code with root privileges. The CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N, indicating a local attack requiring low complexity and user interaction but with changed scope.
The issue has been patched in Asterisk versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. Additional details are available in the GitHub security advisory at https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5648
Vulnerability details
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script…
more
will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local untrusted config sourcing in root script directly enables privilege escalation from asterisk user to root via injected bash code.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents the root-owned ast_coredumper from sourcing and executing code in a file writable by the lower-privileged asterisk user.
Enforces that only authorized (root) subjects may modify /etc/asterisk/ast_debug_tools.conf or influence the privileged script's execution.
Restricts modification of the configuration file and script to authorized administrators, blocking the untrusted-search-path vector.