{"id":"CVE-2025-49832","summary":"Asterisk is Vulnerable to Remote DoS and possible RCE Attacks During Memory Allocation","details":"Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.","aliases":["GHSA-mrq5-74j5-f5cr"],"modified":"2026-04-10T05:29:04.881563Z","published":"2025-08-01T17:57:29.933Z","database_specific":{"cwe_ids":["CWE-476"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49832.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49832.json"},{"type":"ADVISORY","url":"https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49832"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/asterisk/asterisk","events":[{"introduced":"0"},{"fixed":"544aceb34f061af5371994e9e0701e0231d4409f"},{"fixed":"21d22b328a0ee310df50868c36d6d466d111f133"},{"fixed":"ff38e11ded47cb69adc1ec0c14e2a45aa7bf50da"},{"fixed":"9130399bb961771b0acd2a137c7dd64715ece417"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"18.26.3"},{"introduced":"20.00.0"},{"fixed":"20.15.1"},{"introduced":"21.00.0"},{"fixed":"21.10.1"},{"introduced":"22.00.0"},{"fixed":"22.5.1"}]}},{"type":"GIT","repo":"https://github.com/asterisk/asterisk","events":[{"introduced":"5b15600bd766b21b12a5d73e3050e3ec4f2e8db9"},{"fixed":"356f4d00876f07f6094f8d45a49229f29a3d59f0"}],"database_specific":{"versions":[{"introduced":"20.7-cert6"},{"fixed":"20.7-cert7"}]}}],"versions":["18.17.0","18.17.0-rc1","18.17.1","18.18.0","18.18.0-rc1","18.18.1","18.19.0","18.19.0-rc1","18.19.0-rc2","18.20.0","18.20.0-rc1","18.20.1","18.20.2","18.21.0","18.21.0-rc1","18.21.0-rc2","18.22.0","18.22.0-rc1","18.22.0-rc2","18.23.0","18.23.0-rc1","18.23.1","18.24.0","18.24.0-rc1","18.24.1","18.24.2","18.24.3","18.25.0","18.25.0-rc1","18.25.0-rc2","18.26.0","18.26.0-rc1","18.26.1","18.26.2","20.10.0","20.10.0-rc1","20.10.0-rc2","20.11.0","20.11.0-rc1","20.11.1","20.12.0","20.12.0-rc1","20.12.0-rc2","20.13.0","20.13.0-rc1","20.14.0","20.14.0-rc1","20.15.0","20.15.0-rc1","20.15.0-rc2","20.15.0-rc3","20.2.0","20.2.0-rc1","20.2.1","20.3.0","20.3.0-rc1","20.3.1","20.4.0","20.4.0-rc1","20.4.0-rc2","20.5.0","20.5.0-rc1","20.5.1","20.5.2","20.6.0","20.6.0-rc1","20.6.0-rc2","20.7.0","20.7.0-rc1","20.7.0-rc2","20.8.0","20.8.0-rc1","20.8.1","20.9.0","20.9.0-rc1","20.9.1","20.9.2","20.9.3","21.0.0","21.0.0-pre1","21.0.0-rc1","21.0.1","21.0.2","21.1.0","21.1.0-rc1","21.1.0-rc2","21.10.0","21.10.0-rc1","21.10.0-rc2","21.10.0-rc3","21.2.0","21.2.0-rc1","21.2.0-rc2","21.3.0","21.3.0-rc1","21.3.1","21.4.0","21.4.0-rc1","21.4.1","21.4.2","21.4.3","21.5.0","21.5.0-rc1","21.5.0-rc2","21.6.0","21.6.0-rc1","21.6.1","21.7.0","21.7.0-rc1","21.7.0-rc2","21.8.0","21.8.0-rc1","21.9.0","21.9.0-rc1","22.0.0","22.0.0-pre1","22.0.0-rc1","22.0.0-rc2","22.1.0","22.1.0-rc1","22.1.1","22.2.0","22.2.0-rc1","22.2.0-rc2","22.3.0","22.3.0-rc1","22.4.0","22.4.0-rc1","22.5.0","22.5.0-rc1","22.5.0-rc2","22.5.0-rc3","certified-20.7-cert1-pre1","certified-20.7-cert6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49832.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}