EUVD-2025-18653CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
4Tags
Description
A missing length check in `ogs_pfcp_dev_add` function from PFCP library, used by both smf and upf in open5gs 2.7.2 and earlier, allows a local attacker to cause a Buffer Overflow by changing the `session.dev` field with a value with length greater than 32.
Analysis
Buffer overflow vulnerability in the PFCP (Packet Forwarding Control Protocol) library used by open5gs 2.7.2 and earlier. The vulnerability exists in the ogs_pfcp_dev_add function due to missing length validation on the session.dev field, allowing a local attacker with low privileges to cause a buffer overflow that can result in information disclosure, integrity compromise, or denial of service. The vulnerability has not been reported as actively exploited in the wild (no KEV status indicated), but the low attack complexity and local attack vector make it a practical concern for compromised or insider threat scenarios.
Technical Context
The PFCP library is a core component of open5gs, an open-source 5G core network implementation used in both SMF (Session Management Function) and UPF (User Plane Function) components. PFCP is a 3GPP-standardized protocol (TS 29.244) for communication between control and user plane functions in 5G networks. The vulnerability is classified as CWE-120 (Buffer Copy without Checking Size of Input), a classic memory safety issue where the `ogs_pfcp_dev_add` function fails to validate that the `session.dev` field length does not exceed a 32-byte buffer before copying data. This allows an attacker to write beyond allocated buffer boundaries, potentially corrupting adjacent memory structures, overwriting function pointers, or leaking sensitive data. The affected CPE would be `cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*` with versions up to and including 2.7.2.
Affected Products
Affected product: open5gs (open-source 5G core network), Affected versions: 2.7.2 and all earlier versions. Specific components impacted: SMF (Session Management Function) and UPF (User Plane Function), which both utilize the vulnerable PFCP library. CPE identifier: cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:* with constraints version <=2.7.2. The vulnerability is present in any deployment running open5gs in either SMF or UPF role that processes PFCP messages containing specially crafted session device field values. No vendor advisory links or patch version information is provided in the available data; users should consult the open5gs GitHub repository (https://github.com/open5gs/open5gs) for patch releases and security advisories.
Remediation
Immediate actions: (1) Upgrade open5gs to a patched version greater than 2.7.2 when available; check the official open5gs repository and release notes for security patches. (2) Implement network segmentation to restrict local access to SMF/UPF processes; limit which users and services can interact with PFCP components. (3) Apply the principle of least privilege to service accounts running open5gs components. (4) Monitor for buffer overflow exploitation attempts using system call tracing (e.g., strace) or memory protection mechanisms (ASLR, stack canaries, DEP) to detect unusual memory access patterns. (5) In the interim, review access controls to PFCP processing code and validate that only trusted internal processes can modify the `session.dev` field. A proper code-level fix requires input validation in the `ogs_pfcp_dev_add` function to ensure `session.dev` length does not exceed 32 bytes before copying; this should include both length checks and use of safe string/buffer handling functions (e.g., strncpy with explicit length limits instead of strcpy).
Priority Score
Vendor Status
Debian
Bug #1094791| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| open | - | - |
Share
External POC / Exploit Code
Leaving vuln.today