cbcvebase.
CVE-2021-26713
published 2021-02-19

CVE-2021-26713: A stack-based buffer overflow in res_rtp_asterisk.c in Sangoma Asterisk before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk…

PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
1.85%
76.4th percentile
A stack-based buffer overflow in res_rtp_asterisk.c in Sangoma Asterisk before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before 16.8-cert6 allows an authenticated WebRTC client to cause an Asterisk crash by sending multiple hold/unhold requests in quick succession. This is caused by a signedness comparison mismatch.

Affected

17 ranges
VendorProductVersion rangeFixed in
debianasterisk
digiumasterisk>= 0 < 16.16.1-r016.16.1-r0
digiumasterisk>= 0 < 18.2.1-r018.2.1-r0
digiumasterisk>= 0 < 18.2.1-r018.2.1-r0
digiumasterisk>= 0 < 18.2.1-r018.2.1-r0
digiumasterisk>= 0 < 18.2.1-r018.2.1-r0
digiumasterisk>= 0 < 18.2.1-r018.2.1-r0
digiumasterisk>= 0 < 18.2.1-r018.2.1-r0
digiumasterisk>= 0 < 18.2.1-r018.2.1-r0
digiumasterisk>= 0 < 18.2.1-r018.2.1-r0
digiumasterisk>= 0 < 18.2.1-r018.2.1-r0
digiumasterisk>= 0 < 18.2.1-r018.2.1-r0
digiumasterisk>= 0 < 18.2.1-r018.2.1-r0
digiumasterisk>= 16.0.0 < 16.16.116.16.1
digiumasterisk>= 17.0.0 < 17.9.217.9.2
digiumasterisk>= 18.0.0 < 18.2.118.2.1
digiumcertified_asterisk

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
osv6.5MEDIUM
vendor_debian6.5LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.