CVE-2026-23739

Name of the Vulnerable Software and Affected Versions Asterisk versions prior to 20.7-cert9 Asterisk versions prior to 20.18.2 Asterisk versions prior to 21.12.1 Asterisk versions prior to 22.8.2 Asterisk versions prior to 23.2.2

Description The ast xml open() function in Asterisk’s xml.c component utilizes libxml with insecure parsing options, specifically enabling entity expansion and XInclude processing. This occurs when invoking xmlReadFile() with the XML PARSE NOENT flag, followed by processing XIncludes via xmlXIncludeProcess(). If an attacker can provide untrusted or user-supplied XML input, they may be able to trigger a XML External Entity (XXE) or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. The issue is triggered when the Asterisk process parses XML input supplied by the user.

Recommendations Update to Asterisk version 20.7-cert9 or later. Update to Asterisk version 20.18.2 or later. Update to Asterisk version 21.12.1 or later. Update to Asterisk version 22.8.2 or later. Update to Asterisk version 23.2.2 or later.