Skip to main content

Open5GS CVE-2026-15720

| EUVDEUVD-2026-44343 HIGH
Out-of-bounds Read (CWE-125)
2026-07-14 redhat-cnalr GHSA-2vfm-v289-h559
8.6
CVSS 3.1 · Vendor: redhat-cnalr
Share

Severity by source

Vendor (redhat-cnalr) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
vuln.today AI
8.6 HIGH

Pre-authentication, no privileges or interaction (PR:N/UI:N), reachable over the network NAS interface with low complexity; crash of the AMF impacts all subscribers (S:C, A:H) with no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Primary rating from Vendor (redhat-cnalr).

CVSS VectorVendor: redhat-cnalr

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 20:09 vuln.today
CVE Published
Jul 14, 2026 - 18:20 cve.org
HIGH 8.6

DescriptionCVE.org

In Open5GS through version 2.7.7 a pre-authentication heap out-of-bounds read in the AMF NAS 5GS mobile-identity handler may result in subscriber-wide denial of service.

AnalysisAI

Denial of service in Open5GS (open-source 5G/EPC core) through version 2.7.7 lets remote unauthenticated attackers crash the AMF by sending a malformed NAS 5GS mobile-identity information element, triggering a heap out-of-bounds read before authentication completes. Because the AMF handles mobility management for the entire network, a single crafted pre-authentication message can produce a subscriber-wide outage rather than affecting only the sender. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain RAN/N2 signaling access via malicious UE or rogue gNB
Delivery
Send crafted NAS registration with malformed 5GS mobile-identity IE
Exploit
Trigger heap out-of-bounds read in AMF parser
Execution
Crash AMF pre-authentication
Impact
Subscriber-wide mobility management denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires the ability to deliver a NAS 5GS registration message with a malformed mobile-identity information element to the Open5GS AMF's N1/N2 signaling interface, which the AMF parses before authentication - no valid subscriber credentials, SIM provisioning, or prior session are needed (CVSS PR:N, UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H (base 8.6) describes a low-complexity, network-reachable, pre-authentication attack with no user interaction, a scope change (the crashed AMF impacts other subscribers/components), and pure availability impact - confidentiality and integrity are untouched despite the 'Information Disclosure' tag, since an OOB read that leaks data is not reflected in the C:N metric. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to the RAN or N2 signaling path - for example via a malicious UE or a compromised/rogue gNB - sends a crafted initial NAS registration request containing a malformed 5GS mobile-identity IE to the AMF. The AMF's pre-authentication parser performs an out-of-bounds heap read and crashes, dropping mobility management for all attached subscribers; repeating the message keeps the core down. …
Remediation Upgrade to a fixed Open5GS release as directed by the vendor advisory GHSA-f4mx-3x6p-cfwp (https://github.com/open5gs/open5gs/security/advisories/GHSA-f4mx-3x6p-cfwp) - patch available per vendor advisory, but no exact fixed version number was included in the provided data, so confirm the patched tag directly from that advisory and the Open5GS release notes before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Immediately inventory all Open5GS deployments running versions through 2.7.7, assess network exposure to untrusted sources, and enable detailed logging and alerting for malformed NAS pre-authentication messages on all AMF instances. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-40130 CRITICAL POC
9.8 Jul 16

open5gs v2.6.4 is vulnerable to Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2024-40129 CRITICAL POC
9.8 Jul 16

Open5GS v2.6.4 is vulnerable to Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2021-28122 CRITICAL POC
9.8 Mar 10

A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. Rated critical severity (CVSS 9.8

CVE-2021-25863 HIGH POC
8.8 Jan 26

Open5GS 2.1.3 listens on 0.0.0.0:3000 and has a default password of 1423 for the admin account. Rated high severity (CVS

CVE-2023-37023 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contain a reachable assertion in the `Uplink NAS Transport` packet handler. Rated high sev

CVE-2023-37021 HIGH POC
8.6 Jan 22

Open5GS MME version <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37020 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37019 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37018 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37017 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37016 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37015 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the

Share

CVE-2026-15720 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy