CVE-2025-54995 — Uncontrolled Resource Consumption in Asterisk

CWE-400 — Uncontrolled Resource Consumption CWE-1286 — Improper Validation of Syntactic Correctness of Input7 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

1.0%

top 23.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Asterisk Sangoma Asterisk Sangoma Certified Asterisk +1 more

Timeline

PublishedAug 28

Description

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 18.26.4 and 18.9-cert17, RTP UDP ports and internal resources can leak due to a lack of session termination. This could result in leaks and resource exhaustion. This issue has been patched in versions 18.26.4 and 18.9-cert17.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/asterisk< asterisk 1:16.28.0~dfsg-0+deb11u8 (bullseye)

▶NVDsangoma/asterisk< 18.26.4

▶CVEListV5asterisk/asterisk< 18.26.4+1

▶NVDsangoma/certified_asterisk< 18.9+1

▶Debianasterisk/asterisk< 1:16.28.0~dfsg-0+deb11u8

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2025-54995: Asterisk is an open source private branch exchange and telephony toolkit↗2025-08-28

▶

📋Vendor Advisories

Debian

CVE-2025-54995: asterisk - Asterisk is an open source private branch exchange and telephony toolkit. Prior ...↗2025

▶

💬Community

Bugzilla

CVE-2025-54995 asterisk: Asterisk resource exhaustion [fedora-41]↗2025-08-28

▶

Bugzilla

CVE-2025-54995 asterisk: Asterisk resource exhaustion [epel-8]↗2025-08-28

▶

Bugzilla

CVE-2025-54995 asterisk: Asterisk resource exhaustion [fedora-42]↗2025-08-28

▶

Bugzilla

CVE-2025-54995 asterisk: Asterisk resource exhaustion [epel-9]↗2025-08-28

▶