CVE-2009-0871

CVE-2009-0871 is a low-severity vulnerability in Digium Asterisk with a CVSS 2.0 base score of 3.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-20.

Key facts

Description

The SIP channel driver in Asterisk Open Source 1.4.22, 1.4.23, and 1.4.23.1; 1.6.0 before 1.6.0.6; 1.6.1 before 1.6.1.0-rc2; and Asterisk Business Edition C.2.3, with the pedantic option enabled, allows remote authenticated users to cause a denial of service (crash) via a SIP INVITE request without any headers, which triggers a NULL pointer dereference in the (1) sip_uri_headers_cmp and (2) sip_uri_params_cmp functions.

Frequently asked questions

What is CVE-2009-0871?
The SIP channel driver in Asterisk Open Source 1.4.22, 1.4.23, and 1.4.23.1; 1.6.0 before 1.6.0.6; 1.6.1 before 1.6.1.0-rc2; and Asterisk Business Edition C.2.3, with the pedantic option enabled, allows remote authenticated users to cause a denial of service (crash) via a SIP INVITE request without any headers, which triggers a NULL pointer dereference in the (1) sip_uri_headers_cmp and (2) sip_uri_params_cmp functions.
How severe is CVE-2009-0871?
CVE-2009-0871 has a CVSS 2.0 base score of 3.5, rated low severity.
Is CVE-2009-0871 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 3% (83rd percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2009-0871?
CVE-2009-0871 primarily affects Digium Asterisk. In total, 30 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2009-0871?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2009-0871 published?
CVE-2009-0871 was published on 2009-03-11 and last updated on 2026-06-16.

References

Affected products (30)

More vulnerabilities in Digium Asterisk

All CVEs affecting Digium Asterisk →

Other CWE-20 (Improper Input Validation) vulnerabilities

Browse all CWE-20 (Improper Input Validation) vulnerabilities →