CVE-2016-9937

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2016-9937
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9937.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2016-9937
Published
2016-12-12T21:59:00.303Z
Modified
2026-04-10T03:55:33.233965Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in Asterisk Open Source 13.12.x and 13.13.x before 13.13.1 and 14.x before 14.2.1. If an SDP offer or answer is received with the Opus codec and with the format parameters separated using a space the code responsible for parsing will recursively call itself until it crashes. This occurs as the code does not properly handle spaces separating the parameters. This does NOT require the endpoint to have Opus configured in Asterisk. This also does not require the endpoint to be authenticated. If guest is enabled for chansip or anonymous in chanpjsip an SDP offer or answer is still processed and the crash occurs.

References

Affected packages

Git / github.com/asterisk/asterisk

Affected ranges

Type
GIT
Repo
https://github.com/asterisk/asterisk
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
226a7e36c538de73cee76de4183b1569bd5501e5
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
fdde690e0fa2e58bf45ea2bf83962bb1c261d6e0
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
c6d6dd133c3db3b202f1f0d457780c9a6d841e0f
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
dabf482ce43ef37f4cef7a85e7971382b506f5c8
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
106c33d20fe0709159a6c57c970cc95a98bfba9f
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
2f573737b0360acc150110f11c6038bf072f1d30
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
37cde9225d9526e465698b958a6720d8e33709be
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "13.12"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "13.13"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "14.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "14.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "14.1.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "14.1.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "14.2"
        }
    ]
}

Affected versions

13.*
13.12.0
13.12.0-rc1
13.13.0
13.13.0-rc1
13.13.0-rc2
14.*
14.0.0
14.0.0-beta1
14.0.0-beta2
14.0.0-rc1
14.0.0-rc2
14.1.0
14.1.0-rc1
14.1.1
14.1.2
14.2.0
14.2.0-rc1
14.2.0-rc2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9937.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "14.01"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "14.02"
            }
        ]
    }
]