{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0"
              },
              {
                "fixed": "18.26.3"
              },
              {
                "introduced": "20.00.0"
              },
              {
                "fixed": "20.15.1"
              },
              {
                "introduced": "21.00.0"
              },
              {
                "fixed": "21.10.1"
              },
              {
                "introduced": "22.00.0"
              },
              {
                "fixed": "22.5.1"
              }
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "544aceb34f061af5371994e9e0701e0231d4409f"
            },
            {
              "fixed": "21d22b328a0ee310df50868c36d6d466d111f133"
            },
            {
              "fixed": "ff38e11ded47cb69adc1ec0c14e2a45aa7bf50da"
            },
            {
              "fixed": "9130399bb961771b0acd2a137c7dd64715ece417"
            }
          ],
          "repo": "https://github.com/asterisk/asterisk",
          "type": "GIT"
        },
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "20.7-cert6"
              },
              {
                "fixed": "20.7-cert7"
              }
            ]
          },
          "events": [
            {
              "introduced": "5b15600bd766b21b12a5d73e3050e3ec4f2e8db9"
            },
            {
              "fixed": "356f4d00876f07f6094f8d45a49229f29a3d59f0"
            }
          ],
          "repo": "https://github.com/asterisk/asterisk",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-mrq5-74j5-f5cr"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-476"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49832.json"
  },
  "details": "Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.",
  "id": "CVE-2025-49832",
  "modified": "2026-04-01T23:08:45.146149562Z",
  "published": "2025-08-01T17:57:29.933Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49832.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49832"
    }
  ],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Asterisk is Vulnerable to Remote DoS and possible RCE Attacks During Memory Allocation"
}