Arbitrary File Overwrite Vulnerability in Asterisk Telephony Toolkit
CVE-2026-23740

7.8NONE

Key Information:

Vendor: Asterisk
Status: Asterisk
Vendor: CVE Published:; 6 February 2026

What is CVE-2026-23740?

Asterisk, an open source private branch exchange and telephony toolkit, is exposed to a vulnerability allowing an attacker to execute arbitrary commands. This occurs when the 'ast_coredumper' component writes its gdb initialization and output files to a world-writable directory, such as '/tmp'. Due to lax permissions, any user on a Linux system can manipulate these files to gain unauthorized access, potentially resulting in the execution of malicious commands. This vulnerability has been addressed in various patches, including versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

Affected Version(s)

asterisk < 23.2.2 < 23.2.2

asterisk < 22.8.2 < 22.8.2

asterisk < 21.12.1 < 21.12.1

References

https://github.com/asterisk/asterisk/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.8

Severity:

NONE

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 6, 2026
Vulnerability Reserved
Jan 15, 2026

CVE-2026-23740 Data

JSON