CVE-2022-42705 is a use-after-free vulnerability identified in the res_pjsip_pubsub.c module of the Sangoma Asterisk telephony software, specifically affecting versions 16.28, 18.14, 19.6, and certified/18.9-cert2. Asterisk is an open-source framework widely used for building communications applications such as IP PBX systems, VoIP gateways, and conference servers. The vulnerability arises when a remote authenticated attacker performs concurrent activities on a subscription via a reliable transport while Asterisk is simultaneously processing activity on the same subscription. This race condition leads to a use-after-free scenario, where the software attempts to access memory that has already been freed, resulting in a crash of the Asterisk service and causing a denial of service (DoS). The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector metrics specify that the attack can be launched remotely over the network (AV:N) with low attack complexity (AC:L), requires privileges (PR:L) but no user interaction (UI:N), and impacts availability only (A:H) without affecting confidentiality or integrity. No known exploits are currently reported in the wild, and no official patches or vendor advisories are linked in the provided data. The vulnerability is categorized under CWE-416 (Use After Free), a common memory corruption issue that can lead to crashes or potentially more severe exploitation if combined with other vulnerabilities. Given the nature of the flaw, exploitation requires authenticated access, implying that attackers must have valid credentials or compromised accounts to trigger the condition. The vulnerability specifically targets the subscription handling mechanism within the PJSIP module, which manages SIP (Session Initiation Protocol) subscriptions and notifications, a core component in VoIP communications handled by Asterisk.

For European organizations relying on Sangoma Asterisk for their telephony infrastructure, this vulnerability poses a risk primarily of service disruption. The denial of service condition can interrupt voice communications, impacting business operations, customer service, and internal communications. Organizations in sectors with high dependency on VoIP systems—such as telecommunications providers, call centers, financial institutions, and public sector entities—may experience operational downtime, leading to financial losses and reputational damage. Although the vulnerability does not directly compromise confidentiality or integrity, the resulting service outages could indirectly affect business continuity and emergency communication capabilities. The requirement for authenticated access limits the attack surface to insiders or attackers who have already breached perimeter defenses or obtained valid credentials, but this does not eliminate risk, especially in environments with weak authentication controls or exposed management interfaces. Additionally, the vulnerability could be leveraged as part of a multi-stage attack to distract or degrade defenses during more sophisticated intrusion attempts. Given the critical role of Asterisk in many European organizations' telephony infrastructure, even a medium-severity DoS can have significant operational impact.

Organizations should immediately audit their Asterisk deployments to identify affected versions (16.28, 18.14, 19.6, certified/18.9-cert2). Although no official patches are referenced in the provided data, it is critical to monitor Sangoma's official channels for updates or security advisories addressing this issue. In the interim, practical mitigations include restricting access to Asterisk management and SIP interfaces to trusted networks and users only, employing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise, and implementing network segmentation to isolate telephony infrastructure from general IT networks. Monitoring and logging subscription-related activities can help detect anomalous or concurrent subscription manipulations indicative of exploitation attempts. Rate limiting SIP subscription requests and employing intrusion detection/prevention systems (IDS/IPS) with SIP protocol awareness can further reduce attack likelihood. Regularly reviewing and rotating credentials, disabling unused services or modules, and applying the principle of least privilege to user accounts with access to Asterisk systems are also recommended. Finally, organizations should prepare incident response plans specifically for telephony outages to minimize operational disruption if exploitation occurs.