VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-zzpx-gwmv-sfbz

Essentials
Severities (10)
References (3)
Severity details (0)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-zzpx-gwmv-sfbz
Aliases	CVE-2016-9938
Summary	An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you.
Status	Published
Exploitability	0.5
Weighted Severity	0.0
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (0)

There are no known CWE.

System	Score	Found at
epss	0.01419	https://api.first.org/data/v1/epss?cve=CVE-2016-9938
epss	0.01419	https://api.first.org/data/v1/epss?cve=CVE-2016-9938
epss	0.01419	https://api.first.org/data/v1/epss?cve=CVE-2016-9938
epss	0.01419	https://api.first.org/data/v1/epss?cve=CVE-2016-9938
epss	0.01419	https://api.first.org/data/v1/epss?cve=CVE-2016-9938
epss	0.01419	https://api.first.org/data/v1/epss?cve=CVE-2016-9938
epss	0.01419	https://api.first.org/data/v1/epss?cve=CVE-2016-9938
epss	0.01419	https://api.first.org/data/v1/epss?cve=CVE-2016-9938
epss	0.01419	https://api.first.org/data/v1/epss?cve=CVE-2016-9938
epss	0.01419	https://api.first.org/data/v1/epss?cve=CVE-2016-9938

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2016-9938
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9938
847668		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847668

No exploits are available.

There are no known vectors.

Exploit Prediction Scoring System (EPSS)

Percentile	0.80524
EPSS Score	0.01419
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T16:32:17.521538+00:00	Debian Oval Importer	Import	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.0.0