Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionCVE.org
Assertion failure vulnerability in the PCO (Protocol Configuration Options) parser in the SMF (Session Management Function) component of Open5GS before v2.7.5 allows remote attackers to cause denial of service via specially crafted NGAP messages containing malformed length fields in protocol configuration data.
AnalysisAI
Denial of service in Open5GS SMF component (versions before v2.7.5) allows unauthenticated remote attackers to crash the 5G core network Session Management Function by sending NGAP messages with malformed Protocol Configuration Options containing invalid length fields. The vulnerability triggers assertion failures in the PCO parser (CWE-617), causing service termination. With CVSS 7.5 (High) severity and network-accessible attack vector requiring no authentication, this poses significant operational risk to 5G networks, though the low EPSS score (0.07%, 22nd percentile) suggests limited observed exploitation attempts. No active exploitation confirmed (not in CISA KEV). Upstream fix available via commit d770787 incorporated in v2.7.5 release.
Technical ContextAI
Open5GS is an open-source implementation of 5G Core and EPC (Evolved Packet Core) for mobile networks. The Session Management Function (SMF) handles PDU session establishment, modification, and release in 5G standalone architecture. This vulnerability exists in the Protocol Configuration Options (PCO) parser within lib/proto/types.c, which processes configuration data encapsulated in NGAP (Next Generation Application Protocol) messages exchanged between the SMF and AMF (Access and Mobility Management Function). PCO/ePCO structures carry negotiation parameters like DNS addresses, IP allocation methods, and protocol-specific configuration between user equipment and the core network. The root cause (CWE-617: Reachable Assertion) occurs when the parser encounters length field inconsistencies - the code used ogs_assert() for size validation, causing immediate process termination when malformed data violated expected invariants. The commit changes defensive assertions to runtime error checks (ogs_expect/conditional error handling), allowing graceful failure instead of crash. This affects multiple protocol handlers: S5-C (GTP-C interface), Gn (GPRS core network), and GSM (NAS layer) build functions that construct session responses containing PCO data.
RemediationAI
Upgrade to Open5GS v2.7.5 or later, which includes commit d7707879c943d2c952235382154d835b5849d54e replacing vulnerable assertion-based validation with graceful error handling. The patch converts ogs_assert() calls to ogs_expect() with explicit error checking, preventing crashes when malformed PCO data is encountered. Download from official Open5GS GitHub releases (https://github.com/open5gs/open5gs/releases/tag/v2.7.5). For environments unable to immediately upgrade, implement network-level mitigations: restrict NGAP message sources to authenticated, trusted AMF/MME nodes only using IPsec or firewall rules limiting access to SMF control plane interfaces (typically SCTP port 38412 for NGAP), though this reduces attack surface rather than eliminating the vulnerability and may complicate legitimate multi-vendor interoperability. Enable verbose logging and monitoring for SMF crash/restart events to detect exploitation attempts. Note that access control mitigations assume network segmentation exists - in flat or compromised networks, attackers with network access can still reach vulnerable interfaces. No workaround fully compensates for the code-level fix; patching is the only complete remediation. Review https://github.com/open5gs/open5gs/commit/d7707879c943d2c952235382154d835b5849d54e for detailed code changes affecting lib/proto/types.c and src/smf/ message builders.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-617 – Reachable Assertion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209599