Asterisk 16.24.1, 18.10.1, 19.2.1 and 16.8-cert13 Now Available (Security)

The Asterisk Development Team would like to announce security releases for
Asterisk 16, 18 and 19, and Certified Asterisk 16.8. The available releases are
released as versions 16.24.1, 18.10.1, 19.2.1 and 16.8-cert13.

These releases are available for immediate download at

The following security vulnerabilities were resolved in these versions:


  • AST-2022-004: pjproject: integer underflow on STUN message
    The header length on incoming STUN messages that contain an ERROR-CODE
    attribute is not properly checked. This can result in an integer underflow.
    Note, this requires ICE or WebRTC support to be in use with a malicious remote


  • AST-2022-005: pjproject: undefined behavior after freeing a dialog set
    When acting as a UAC, and when placing an outgoing call to a target that then
    forks Asterisk may experience undefined behavior (crashes, hangs, etc…)
    after a dialog set is prematurely freed.


  • AST-2022-006: pjproject: unconstrained malformed multipart SIP message
    If an incoming SIP message contains a malformed multi-part body an out of
    bounds read access may occur, which can result in undefined behavior. Note,
    it’s currently uncertain if there is any externally exploitable vector
    within Asterisk for this issue, but providing this as a security issue out of

For a full list of changes in the current releases, please see the ChangeLogs:


The security advisories are available at:


Thank you for your continued support of Asterisk!

What can we help you find?