Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN677
_____________________________________________________________________

DATE                : 26/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Asterisk versions prior
                     to 20.20.1, 21.12.3, 22.10.1, 23.4.1,
         certified-asterisk versions prior to 20.7-cert11, 22.8-cert3.
 
=====================================================================
https://github.com/asterisk/asterisk/security/advisories/GHSA-vrfp-mg3q-3959
https://github.com/asterisk/asterisk/security/advisories/GHSA-g8q2-p36q-94f6
https://github.com/asterisk/asterisk/security/advisories/GHSA-wcvv-g26m-wx5c
https://github.com/asterisk/asterisk/security/advisories/GHSA-h5hv-jmgj-92q2
https://github.com/asterisk/asterisk/security/advisories/GHSA-746q-794h-cc7f
https://github.com/asterisk/asterisk/security/advisories/GHSA-3g56-cgrh-95p5
_____________________________________________________________________

ARI setChannelVar bypasses live_dangerously and permits FILE() writes
High
gtjoseph published GHSA-vrfp-mg3q-3959 

Software
asterisk

Affected versions
<= 20.20.0
<= 21.12.2
<= 22.10.0
<= 23.4.0

Patched versions
20.20.1
21.12.3
22.10.1
23.4.1

certified-asterisk
Affected versions
<= 20.7-cert10
<= 22.8-cert2
Patched versions
20.7-cert11
22.8-cert3

Description

Summary

An authenticated ARI attacker with read-only privileges may be able
to execute "write" dialplan functions even if the live_dangerously
option in asterisk.conf is set to "no".

Preconditions

    The Asterisk HTTP webserver must be enabled. It's disabled by
default.
    The attacker must be able to connect to the HTTP server. Even
when enabled,
    the HTTP server is bound only to 127.0.0.1 by default.
    The attacker must already have valid read-only ARI credentials.

Severity
High
8.1/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVE ID
CVE-2026-57202

Weaknesses
Weakness CWE-267
Weakness CWE-1220

Credits

    @gmrvh gmrvh Reporter

_____________________________________________________________________

Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP
connection closes during SDP processing

High
gtjoseph published GHSA-g8q2-p36q-94f6

Software
asterisk

Affected versions
<= 20.20.0
<= 21.12.2
<= 22.10.0
<= 23.4.0

Patched versions
20.20.1
21.12.3
22.10.1
23.4.1

certified-asterisk
Affected versions
<= 20.7-cert10
<= 22.8-cert2
Patched versions
20.7-cert11
22.8-cert3

Description

Summary

An authenticated attacker may be able to crash Asterisk by sending
it a SIP INVITE over a connection-oriented transport then
disconnecting before Asterisk responds with the 200 OK.


Preconditions

    So far, this crash can only be reproduced if Asterisk is built with
    the Address Sanitizer enabled as it's the Address Sanitizer that
    flags the issue.
    The Address Sanitizer is a development tool that carries significant
    performance overhead and is therefore never used in production
    systems.

Severity
High
7.1/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required Low
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE ID
CVE-2026-57187
Weaknesses
Weakness CWE-416
Weakness CWE-664
Credits

    @damseleng damseleng Reporter
_____________________________________________________________________

ARI REST-over-WebSocket read-only bypass allows arbitrary module path
load and conditional RCE

High
gtjoseph published GHSA-wcvv-g26m-wx5c

Software
asterisk

Affected versions
<= 20.20.0
<= 21.12.2
<= 22.10.0
<= 23.4.0

Patched versions
20.20.1
21.12.3
22.10.1
23.4.1

certified-asterisk
Affected versions
<= 22.8-cert2
Patched versions
22.8-cert3


Description

Summary

An authenticated attacker with read-only permissions to use the
Asterisk REST Interface (ARI) may, under certain conditions, execute
write operations when using the REST-over-WebSocket feature.


Preconditions

    The Asterisk HTTP web server must be enabled. It's disabled by
default.
    The attacker must be able to connect to the HTTP server. Even
when enabled,
    the HTTP server is bound only to 127.0.0.1 by default.
    The attacker must already have valid read-only ARI credentials.

Severity
High
7.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID
CVE-2026-57200

Weaknesses
Weakness CWE-22
Weakness CWE-863

Credits

    @ZwCrazyThursday ZwCrazyThursday Reporter

_____________________________________________________________________

CVE-2022-37325 fix is absent from current chan_ooh323 Q.931
party-number parser

High
gtjoseph published GHSA-h5hv-jmgj-92q2 yesterday

Software
asterisk

Affected versions
<= 21.12.2
<= 22.10.0
<= 23.4.0

Patched versions
21.12.3
22.10.1
23.4.1

certified-asterisk
Affected versions
<= 22.8-cert2
Patched versions
22.8-cert3


Description

Summary

A previously reported and fixed security vulnerability (CVE-2022-37325)
for chan_ooh323 was never forward ported from Asterisk 20 to later
versions. The original issue involved triggering an Asterisk crash using
malformed Q.931 elements in an OOH323 request.


Preconditions

    An Asterisk instance running a version > 20.
    The chan_ooh323 addon channel driver must be explicitly compiled and
    installed. It's not by default.
    The port used by chan_ooh323 must be open to the public.

Severity
High
7.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID
CVE-2026-57186

Weaknesses
Weakness CWE-839

Credits

    @ZwCrazyThursday ZwCrazyThursday Reporter

_____________________________________________________________________

Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
Moderate
gtjoseph published GHSA-746q-794h-cc7f

Software
asterisk

Affected versions
<= 20.20.0
<= 21.12.2
<= 22.10.0
<= 23.4.0

Patched versions
20.20.1
21.12.3
22.10.1
23.4.1

certified-asterisk
Affected versions
<= 20.7-cert10
<= 22.8-cert2
Patched versions
20.7-cert11
22.8-cert3


Description

Summary

Insufficient bounds checking in the chan_ooh323 Q.931 parser may allow
an unauthenticated attacker to cause an Asterisk crash using carefully
crafted setup packets.

Preconditions

    The chan_ooh323 addon channel driver must be explicitly compiled
    and installed. It's not by default.
    The port used by chan_ooh323 must be open to the public.

Severity
Moderate
6.3/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability Low
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CVE ID
CVE-2026-57184

Weaknesses
Weakness CWE-125

Credits

    @TristanInSec TristanInSec Reporter

_____________________________________________________________________

chan_unistim DIALPAGE digit handling can overflow phone_number and
crash Asterisk

Moderate
gtjoseph published GHSA-3g56-cgrh-95p5

Software
asterisk

Affected versions
<= 20.20.0
<= 21.12.2
<= 22.10.0
<= 23.4.0

Patched versions
20.20.1
21.12.3
22.10.1
23.4.1

certified-asterisk
Affected versions
<= 20.7-cert10
<= 22.8-cert2
Patched versions
20.7-cert11
22.8-cert3


Description

Summary

An potential out-of-bounds write in the UNISTIM channel driver may
allow an attacker to crash Asterisk using a carefully crafted incoming
request packet. 


Preconditions

    The chan_unistim module must be loaded.
    The module must be configured with a valid UNISTIM UDP port.
    The attacker must be able to reach that port.
    The attacker must register as a configured phone MAC, or the
deployment must
    have an equivalent production/autoprovisioning path that allows
a client to
    reach the main page.

Severity
Moderate
5.9/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID
CVE-2026-57194

Weaknesses
Weakness CWE-787

Credits

    @ZwCrazyThursday ZwCrazyThursday Reporter

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================