High severity7.5NVD Advisory· Published Jul 31, 2007· Updated Apr 23, 2026

CVE-2007-4103

Description

The IAX2 channel driver (chan_iax2) in Asterisk Open 1.2.x before 1.2.23, 1.4.x before 1.4.9, and Asterisk Appliance Developer Kit before 0.6.0, when configured to allow unauthenticated calls, allows remote attackers to cause a denial of service (resource exhaustion) via a flood of calls that do not complete a 3-way handshake, which causes an ast_channel to be allocated but not released.

Affected products

Digium/Asterisk
cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*
Range: >=1.2.20,<1.2.23
Digium/Asterisk Appliance Developer Kit
cpe:2.3:a:digium:asterisk_appliance_developer_kit:*:*:*:*:*:*:*:*
Range: <0.6.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

bugs.gentoo.org/show_bug.cginvdIssue TrackingPatch
ftp.digium.com/pub/asa/ASA-2007-018.pdfnvdBroken LinkPatch
secunia.com/advisories/26274nvdBroken LinkPatchVendor Advisory
security.gentoo.org/glsa/glsa-200802-11.xmlnvdThird Party Advisory
www.securityfocus.com/archive/1/475069/100/0/threadednvdBroken LinkThird Party AdvisoryVDB Entry
www.securityfocus.com/bid/24950nvdBroken LinkThird Party AdvisoryVDB Entry
www.securitytracker.com/idnvdBroken LinkThird Party AdvisoryVDB Entry
osvdb.org/38197nvdBroken Link
secunia.com/advisories/29051nvdBroken Link
securityreason.com/securityalert/2960nvdBroken Link
www.vupen.com/english/advisories/2007/2701nvdBroken Link

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000