{"id":"CVE-2019-15297","details":"res_pjsip_t38 in Sangoma Asterisk 15.x before 15.7.4 and 16.x before 16.5.1 allows an attacker to trigger a crash by sending a declined stream in a response to a T.38 re-invite initiated by Asterisk. The crash occurs because of a NULL session media object dereference.","modified":"2026-03-14T01:31:12.786921Z","published":"2019-09-09T21:15:10.827Z","references":[{"type":"WEB","url":"http://packetstormsecurity.com/files/161671/Asterisk-Project-Security-Advisory-AST-2021-006.html"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2021/Mar/5"},{"type":"FIX","url":"http://downloads.asterisk.org/pub/security/AST-2019-004.html"},{"type":"FIX","url":"http://packetstormsecurity.com/files/154371/Asterisk-Project-Security-Advisory-AST-2019-004.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/asterisk/asterisk","events":[{"introduced":"d4cc63728def7ca06ad3f70547de87bc5c9ef7c0"},{"last_affected":"c2d9780d3d91fb44804df0db829712cff0340e44"},{"introduced":"a65908f83e2f17a3aca7eb39c8e06045aca02674"},{"last_affected":"6b80f4dc0afae278361262b9d62ac53c5a56e60c"}],"database_specific":{"versions":[{"introduced":"15.0.0"},{"last_affected":"15.7.3"},{"introduced":"16.0.0"},{"last_affected":"16.5.0"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-15297.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}