What is the CVSS score of CVE-2025-44951?

CVE-2025-44951 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Open5gs are affected by CVE-2025-44951?

A buffer overflow vulnerability in open5gs 2.7.2 and earlier affects organizations running 5G network infrastructure (SMF and UPF components), allowing local attackers to crash services or…

Is there a public PoC exploit available for CVE-2025-44951?

Yes, a public proof-of-concept exploit is available for CVE-2025-44951. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-44951?

Within 24 hours: Inventory all open5gs deployments and confirm versions ≤2.7.2; restrict local access to affected systems through network segmentation and IAM controls. Within 7 days: Implement input validation monitoring on the session.dev field and review access logs for suspicious activity; evaluate upgrade readiness to a patched version when available. Within 30 days: Upgrade to open5gs 2.7.3 or later once released; deploy comprehensive network segmentation to limit lateral movement if compromise occurs.

Open5gs CVE-2025-44951

EUVD-2025-18653 HIGH

Classic Buffer Overflow (CWE-120)

2025-06-18 cve@mitre.org

Buffer Overflow Open5gs

7.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.1 HIGH

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 22:49 euvd

EUVD-2025-18653

Analysis Generated

Mar 14, 2026 - 22:49 vuln.today

PoC Detected

Jan 09, 2026 - 19:16 vuln.today

Public exploit code

CVE Published

Jun 18, 2025 - 16:15 nvd

HIGH 7.1

DescriptionCVE.org

A missing length check in ogs_pfcp_dev_add function from PFCP library, used by both smf and upf in open5gs 2.7.2 and earlier, allows a local attacker to cause a Buffer Overflow by changing the session.dev field with a value with length greater than 32.

AnalysisAI

Buffer overflow vulnerability in the PFCP (Packet Forwarding Control Protocol) library used by open5gs 2.7.2 and earlier. The vulnerability exists in the ogs_pfcp_dev_add function due to missing length validation on the session.dev field, allowing a local attacker with low privileges to cause a buffer overflow that can result in information disclosure, integrity compromise, or denial of service. The vulnerability has not been reported as actively exploited in the wild (no KEV status indicated), but the low attack complexity and local attack vector make it a practical concern for compromised or insider threat scenarios.

Technical ContextAI

The PFCP library is a core component of open5gs, an open-source 5G core network implementation used in both SMF (Session Management Function) and UPF (User Plane Function) components. PFCP is a 3GPP-standardized protocol (TS 29.244) for communication between control and user plane functions in 5G networks. The vulnerability is classified as CWE-120 (Buffer Copy without Checking Size of Input), a classic memory safety issue where the ogs_pfcp_dev_add function fails to validate that the session.dev field length does not exceed a 32-byte buffer before copying data. This allows an attacker to write beyond allocated buffer boundaries, potentially corrupting adjacent memory structures, overwriting function pointers, or leaking sensitive data. The affected CPE would be cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:* with versions up to and including 2.7.2.

RemediationAI

Immediate actions: (1) Upgrade open5gs to a patched version greater than 2.7.2 when available; check the official open5gs repository and release notes for security patches. (2) Implement network segmentation to restrict local access to SMF/UPF processes; limit which users and services can interact with PFCP components. (3) Apply the principle of least privilege to service accounts running open5gs components. (4) Monitor for buffer overflow exploitation attempts using system call tracing (e.g., strace) or memory protection mechanisms (ASLR, stack canaries, DEP) to detect unusual memory access patterns. (5) In the interim, review access controls to PFCP processing code and validate that only trusted internal processes can modify the session.dev field. A proper code-level fix requires input validation in the ogs_pfcp_dev_add function to ensure session.dev length does not exceed 32 bytes before copying; this should include both length checks and use of safe string/buffer handling functions (e.g., strncpy with explicit length limits instead of strcpy).

Vendor StatusVendor

Debian

Bug #1094791

open5gs

Release	Status	Fixed Version	Urgency
	open	-	-

CVE-2025-44951 vulnerability details – vuln.today

Back