CVE-2025-57767: 
NixOS vulnerability analysis and mitigation

Asterisk, an open source private branch exchange and telephony toolkit, was found to have a vulnerability (CVE-2025-57767) affecting versions prior to 20.15.2, 21.10.2, and 22.5.2. The vulnerability was discovered and disclosed on August 28, 2025, impacting the SIP request handling functionality (GitHub Advisory, CERT-FR).

The vulnerability occurs when a SIP request is received with an Authorization header containing a realm that wasn't in a previous 401 response's WWW-Authenticate header, or when an Authorization header with an incorrect realm is received without a previous 401 response being sent. In such cases, the get_authorization_header() function in res_pjsip_authenticator_digest returns NULL, which wasn't being checked before attempting to get the digest algorithm from the header, resulting in a segmentation fault. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability can lead to a denial of service condition through a system crash when exploited. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (GitHub Advisory).

The vulnerability has been patched in Asterisk versions 20.15.2, 21.10.2, and 22.5.2. There are no workarounds available, making it critical for affected users to upgrade to the patched versions (GitHub Advisory).