CVE-2017-16672

Published: Nov 9, 2017Modified: May 13, 2026

5.9

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. A memory leak occurs when an Asterisk pjsip session object is created and that call gets rejected before the session itself is fully established. When this happens the session object never gets destroyed. Eventually Asterisk can run out of memory and crash.

Affected (14)

Products: Digium: Asterisk, Certified Asterisk

Digium

2 products

Asterisk

Certified Asterisk

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Digium Asterisk	From 13.0.0 to 13.18.1
Digium Asterisk	From 14.0.0 to 14.7.1
Digium Asterisk	From 15.0.0 to 15.1.1

Configuration B

11 vulnerable

Vulnerable Software	Affected Versions
Digium Certified Asterisk	Version 13.13.0
Digium Certified Asterisk	Version 13.13.0 cert1
Digium Certified Asterisk	Version 13.13.0 cert1_rc1
Digium Certified Asterisk	Version 13.13.0 cert1_rc2
Digium Certified Asterisk	Version 13.13.0 cert1_rc3
Digium Certified Asterisk	Version 13.13.0 cert1_rc4
Digium Certified Asterisk	Version 13.13.0 cert2
Digium Certified Asterisk	Version 13.13.0 cert3
Digium Certified Asterisk	Version 13.13.0 cert4
Digium Certified Asterisk	Version 13.13.0 cert5
Digium Certified Asterisk	Version 13.13.0 cert6