Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was detected in Open5GS up to 2.7.7. This affects the function ogs_sbi_client_send_via_scp_or_sepp in the library lib/sbi/client.c of the component NF. Performing a manipulation results in out-of-bounds read. The attack is possible to be carried out remotely. The patch is named d5bc487fcf9ea87d2b03f2ef95123af344773bfb. It is suggested to install a patch to address this issue.
AnalysisAI
Out-of-bounds read in Open5GS up to version 2.7.7 allows remote attackers to trigger information disclosure via manipulation of the ogs_sbi_client_send_via_scp_or_sepp function in lib/sbi/client.c during Service-Based Interface (SBI) communication. The vulnerability exploits improper bounds checking when extracting paths from URIs, affecting the Network Function (NF) component. CVSS 6.9 (network-accessible, low complexity, no privileges required) with availability impact. Upstream patch commit d5bc487fcf9ea87d2b03f2ef95123af344773bfb available.
Technical ContextAI
Open5GS is a 5G/LTE telecom network core implementation. The vulnerability resides in the SBI client library (lib/sbi/client.c), specifically in the ogs_sbi_client_send_via_scp_or_sepp function which handles Service Communication Proxy (SCP) and Security Edge Protection Proxy (SEPP) message routing in 5G network function communication. The root cause is a CWE-125 (Out-of-bounds Read) condition in URI path extraction logic that lacks proper validation before memory access. The patch adds explicit return-value checking on a URI path extraction operation (rc == false condition), preventing the function from proceeding with unvalidated data. SBI is the standardized service-based interface between 5G network functions (NFs), making this library critical infrastructure for interoperability.
RemediationAI
Upgrade Open5GS to a patched version containing commit d5bc487fcf9ea87d2b03f2ef95123af344773bfb or later. If immediate upgrade is not feasible, apply the upstream patch from https://github.com/open5gs/open5gs/pull/4496 manually to lib/sbi/client.c by adding the rc == false validation check before URI path extraction. As a temporary compensating control, restrict network-level access to SBI client communication ports (typically TCP 7777 for SBI default) to authorized 5G network functions only, using firewall rules to block untrusted peer connections; this reduces attack surface but does not fix the underlying parsing bug and may impact network function discovery features. Validate all NF deployments to ensure SBI interfaces are not inadvertently exposed to external networks.
open5gs v2.6.4 is vulnerable to Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Open5GS v2.6.4 is vulnerable to Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. Rated critical severity (CVSS 9.8
Open5GS 2.1.3 listens on 0.0.0.0:3000 and has a default password of 1423 for the admin account. Rated high severity (CVS
Open5GS MME versions <= 2.6.4 contain a reachable assertion in the `Uplink NAS Transport` packet handler. Rated high sev
Open5GS MME version <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28912
GHSA-2xj3-jm9w-283r