{"api_version":"1","generated_at":"2026-04-23T10:28:21+00:00","cve":"CVE-2022-26498","urls":{"html":"https://cve.report/CVE-2022-26498","api":"https://cve.report/api/cve/CVE-2022-26498.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-26498","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-26498"},"summary":{"title":"CVE-2022-26498","description":"An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2022-04-15 05:15:00","updated_at":"2023-05-04 17:15:00"},"problem_types":["CWE-400"],"metrics":[],"references":[{"url":"http://packetstormsecurity.com/files/166744/Asterisk-Project-Security-Advisory-AST-2022-001.html","name":"http://packetstormsecurity.com/files/166744/Asterisk-Project-Security-Advisory-AST-2022-001.html","refsource":"MISC","tags":[],"title":"Asterisk Project Security Advisory - AST-2022-001 ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://packetstormsecurity.com/files/172139/Shannon-Baseband-chatroom-SDP-Attribute-Memory-Corruption.html","name":"http://packetstormsecurity.com/files/172139/Shannon-Baseband-chatroom-SDP-Attribute-Memory-Corruption.html","refsource":"MISC","tags":[],"title":"Shannon Baseband chatroom SDP Attribute Memory Corruption ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://downloads.asterisk.org/pub/security/","name":"https://downloads.asterisk.org/pub/security/","refsource":"MISC","tags":[],"title":"Index of /pub/security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2022/dsa-5285","name":"DSA-5285","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5285-1 asterisk","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html","name":"[debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3194-1] asterisk security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://downloads.asterisk.org/pub/security/AST-2022-001.html","name":"https://downloads.asterisk.org/pub/security/AST-2022-001.html","refsource":"MISC","tags":[],"title":"AST-2022-001","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-26498","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-26498","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"26498","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"26498","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"26498","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"digium","cpe5":"asterisk","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"26498","vulnerable":"1","versionEndIncluding":"16.25.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"digium","cpe5":"asterisk","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"26498","vulnerable":"1","versionEndIncluding":"19.3.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"digium","cpe5":"asterisk","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-26498","qid":"181225","title":"Debian Security Update for asterisk (DLA 3194-1)"},{"cve":"CVE-2022-26498","qid":"181237","title":"Debian Security Update for asterisk (DSA 5285-1)"},{"cve":"CVE-2022-26498","qid":"502207","title":"Alpine Linux Security Update for asterisk"},{"cve":"CVE-2022-26498","qid":"503867","title":"Alpine Linux Security Update for asterisk"},{"cve":"CVE-2022-26498","qid":"690843","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for asterisk (8838abf0-bc47-11ec-b516-0897988a1c07)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2022-26498","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://downloads.asterisk.org/pub/security/","refsource":"MISC","name":"https://downloads.asterisk.org/pub/security/"},{"refsource":"MISC","name":"https://downloads.asterisk.org/pub/security/AST-2022-001.html","url":"https://downloads.asterisk.org/pub/security/AST-2022-001.html"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/166744/Asterisk-Project-Security-Advisory-AST-2022-001.html","url":"http://packetstormsecurity.com/files/166744/Asterisk-Project-Security-Advisory-AST-2022-001.html"},{"refsource":"MLIST","name":"[debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"},{"refsource":"DEBIAN","name":"DSA-5285","url":"https://www.debian.org/security/2022/dsa-5285"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/172139/Shannon-Baseband-chatroom-SDP-Attribute-Memory-Corruption.html","url":"http://packetstormsecurity.com/files/172139/Shannon-Baseband-chatroom-SDP-Attribute-Memory-Corruption.html"}]}},"nvd":{"publishedDate":"2022-04-15 05:15:00","lastModifiedDate":"2023-05-04 17:15:00","problem_types":["CWE-400"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*","versionStartIncluding":"19.0.0","versionEndIncluding":"19.3.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*","versionStartIncluding":"16.15.0","versionEndIncluding":"16.25.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*","versionStartIncluding":"18.0","versionEndExcluding":"18.11.2","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}