Sukchan Lee

47 exploits Active since Dec 2021
CVE-2026-10157 WRITEUP HIGH WRITEUP
Open5GS NGAP PathSwitchRequest Message ngap-handler.c improper authentication
A vulnerability was identified in Open5GS up to 2.7.6. This impacts an unknown function of the file src/amf/ngap-handler.c of the component NGAP PathSwitchRequest Message Handler. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is a188e36b1741ffc2252133f59b1bda4f14d3cb5c. It is suggested to install a patch to address this issue.
CVSS 7.3
CVE-2026-8743 WRITEUP MEDIUM WRITEUP
Open5GS AMF/MME context.c ran_ue_find_by_amf_ue_ngap_id improper authorization
A vulnerability was found in Open5GS up to 2.7.6. This impacts the function ran_ue_find_by_amf_ue_ngap_id of the file src/amf/context.c of the component AMF/MME. Performing a manipulation results in improper authorization. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The patch is named 5746b8576cfceec18ed87eb7d8cf11b1fb4cd8b1. It is suggested to install a patch to address this issue.
CVSS 6.3
CVE-2026-8744 WRITEUP MEDIUM WRITEUP
Open5GS NRF context.c ogs_sbi_nf_service_add denial of service
A vulnerability was determined in Open5GS up to 2.7.7. Affected is the function ogs_sbi_subscription_data_add/ogs_sbi_nf_service_add in the library /lib/sbi/context.c of the component NRF. Executing a manipulation can lead to denial of service. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This patch is called 819db11a08b9736a3576c4f99ceb28f7eb99523a. A patch should be applied to remediate this issue.
CVSS 4.3
CVE-2026-7601 WRITEUP MEDIUM WRITEUP
Open5GS AMF gmm-handler.c denial of service
A vulnerability has been found in Open5GS up to 2.7.6. Affected is an unknown function of the file src/amf/gmm-handler.c of the component AMF. The manipulation of the argument reg_type leads to denial of service. The attack is possible to be carried out remotely. Upgrading to version 2.7.7 is able to address this issue. The identifier of the patch is ebc66942b6f8f1fab2d640e71cf4e9f1a423b426. It is advisable to upgrade the affected component.
CVSS 4.3
CVE-2025-56568 WRITEUP HIGH WRITEUP
Open5GS < 2.7.5 - Denial of Service via Malformed NGAP Message Length Field
Assertion failure vulnerability in the PCO (Protocol Configuration Options) parser in the SMF (Session Management Function) component of Open5GS before v2.7.5 allows remote attackers to cause denial of service via specially crafted NGAP messages containing malformed length fields in protocol configuration data.
CVSS 7.5
CVE-2026-4240 WRITEUP MEDIUM WRITEUP
Open5GS CCA smf_s6b_sta_cb denial of service
A vulnerability was determined in Open5GS up to 2.7.6. The affected element is the function smf_gx_cca_cb/smf_gy_cca_cb/smf_s6b_aaa_cb/smf_s6b_sta_cb of the component CCA Handler. This manipulation causes denial of service. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.7.7 is sufficient to fix this issue. Patch name: 80eb484a6ab32968e755e628b70d1a9c64f012ec. Upgrading the affected component is recommended.
CVSS 5.3
CVE-2021-45462 WRITEUP HIGH WRITEUP
Open5GS 2.4.0 - Denial of Service via Crafted UE Packet
In Open5GS 2.4.0, a crafted packet from UE can crash SGW-U/UPF.
CVSS 7.5
CVE-2022-3299 WRITEUP MEDIUM WRITEUP
Open5GS 2.4.0-2.4.10 - Denial of Service in AMF SBI Client
A vulnerability was found in Open5GS up to 2.4.10. It has been declared as problematic. Affected by this vulnerability is an unknown functionality in the library lib/sbi/client.c of the component AMF. The manipulation leads to denial of service. The attack can be launched remotely. The name of the patch is 724fa568435dae45ef0c3a48b2aabde052afae88. It is recommended to apply a patch to fix this issue. The identifier VDB-209545 was assigned to this vulnerability.
CVSS 4.3
CVE-2023-50019 WRITEUP MEDIUM WRITEUP
open5gs v2.6.6 - Denial of Service via Nudm_UECM_Registration Response Error Handling
An issue was discovered in open5gs v2.6.6. InitialUEMessage, Registration request sent at a specific time can crash AMF due to incorrect error handling of Nudm_UECM_Registration response.
CVSS 5.9
CVE-2023-50020 WRITEUP HIGH WRITEUP
open5gs v2.6.6 - Denial of Service via SIGPIPE
An issue was discovered in open5gs v2.6.6. SIGPIPE can be used to crash AMF.
CVSS 7.5
CVE-2024-40129 WRITEUP CRITICAL WRITEUP
Open5GS v2.6.4 - Heap-based Buffer Overflow in /lib/pfcp/context.c
Open5GS v2.6.4 is vulnerable to Buffer Overflow. via /lib/pfcp/context.c.
CVSS 9.8
CVE-2024-40130 WRITEUP CRITICAL WRITEUP
open5gs v2.6.4 - Buffer Overflow in ABTS Core Library
open5gs v2.6.4 is vulnerable to Buffer Overflow. via /lib/core/abts.c.
CVSS 9.8
CVE-2024-56921 WRITEUP HIGH WRITEUP
open5gs - Denial of Service via gmm_state_exception() Error Handling
An issue was discovered in Open5gs v2.7.2. InitialUEMessage, Registration request sent at a specific time can crash AMF due to incorrect error handling of gmm_state_exception() function upon receipt of the Nausf_UEAuthentication_Authenticate response.
CVSS 7.5
CVE-2024-57519 WRITEUP HIGH WRITEUP
open5gs 2.7.2 - Denial of Service via ogs_dbi_auth_info Function
An issue in Open5GS v.2.7.2 allows a remote attacker to cause a denial of service via the ogs_dbi_auth_info function in lib/dbi/subscription.c file.
CVSS 7.5
CVE-2025-14953 WRITEUP LOW WRITEUP
open5gs < 2.7.5 - Denial of Service via Null Pointer Dereference in FAR-ID Handler
A flaw has been found in Open5GS up to 2.7.5. This impacts the function ogs_pfcp_handle_create_pdr in the library lib/pfcp/handler.c of the component FAR-ID Handler. Executing a manipulation can lead to null pointer dereference. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is said to be difficult. The exploit has been published and may be used. This patch is called 93a9fd98a8baa94289be3b982028201de4534e32. It is advisable to implement a patch to correct this issue.
CVSS 3.1
CVE-2025-14954 WRITEUP LOW WRITEUP
open5gs < 2.7.5 - Reachable Assertion in QER/FAR/URR/PDR Context Handling
A vulnerability has been found in Open5GS up to 2.7.6. Affected is the function ogs_pfcp_pdr_find_or_add/ogs_pfcp_far_find_or_add/ogs_pfcp_urr_find_or_add/ogs_pfcp_qer_find_or_add in the library lib/pfcp/context.c of the component QER/FAR/URR/PDR. The manipulation leads to reachable assertion. It is possible to initiate the attack remotely. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 442369dcd964f03d95429a6a01a57ed21f7779b7. Applying a patch is the recommended action to fix this issue.
CVSS 3.7
CVE-2025-14955 WRITEUP LOW WRITEUP
Open5GS <2.7.5 - Improper Initialization
A vulnerability was found in Open5GS up to 2.7.5. Affected by this vulnerability is the function ogs_pfcp_handle_create_pdr in the library lib/pfcp/handler.c of the component PFCP. The manipulation results in improper initialization. It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit has been made public and could be used. The patch is identified as 773117aa5472af26fc9f80e608d3386504c3bdb7. It is best practice to apply a patch to resolve this issue.
CVSS 3.7
CVE-2025-15176 WRITEUP MEDIUM WRITEUP
open5gs < 2.7.5 - Reachable Assertion in PFCP Session Establishment Request Handler
A flaw has been found in Open5GS up to 2.7.5. This affects the function decode_ipv6_header/ogs_pfcp_pdr_rule_find_by_packet of the file lib/pfcp/rule-match.c of the component PFCP Session Establishment Request Handler. Executing a manipulation can lead to reachable assertion. It is possible to launch the attack remotely. The exploit has been published and may be used. This patch is called b72d8349980076e2c033c8324f07747a86eea4f8. Applying a patch is advised to resolve this issue.
CVSS 5.3
CVE-2025-15417 WRITEUP LOW WRITEUP
open5gs < 2.7.6 - Denial of Service in GTPv2-C F-TEID Handler
A vulnerability was identified in Open5GS up to 2.7.6. Affected is the function sgwc_s11_handle_create_session_request of the file src/sgwc/s11-handler.c of the component GTPv2-C F-TEID Handler. Such manipulation leads to denial of service. The attack must be carried out locally. The exploit is publicly available and might be used. The name of the patch is 465273d13ba5d47b274c38c9d1b07f04859178a1. A patch should be applied to remediate this issue.
CVSS 3.3
CVE-2025-15418 WRITEUP LOW WRITEUP
open5gs < 2.7.6 - Denial of Service in Bearer QoS IE Length Handler
A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function ogs_gtp2_parse_bearer_qos in the library lib/gtp/v2/types.c of the component Bearer QoS IE Length Handler. Performing a manipulation results in denial of service. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is named 4e913d21f2c032b187815f063dbab5ebe65fe83a. To fix this issue, it is recommended to deploy a patch.
CVSS 3.3
CVE-2025-15419 WRITEUP LOW WRITEUP
open5gs < 2.7.6 - Denial of Service in GTPv2-C Flow Handler
A weakness has been identified in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c of the component GTPv2-C Flow Handler. Executing a manipulation can lead to denial of service. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. This patch is called 5aaa09907e7b9e0a326265a5f08d56f54280b5f2. It is advisable to implement a patch to correct this issue.
CVSS 3.3
CVE-2025-15528 WRITEUP MEDIUM WRITEUP
Open5GS < 2.7.6 - Denial of Service in GTPv2 Bearer Response Handler
A vulnerability has been found in Open5GS up to 2.7.6. Affected by this vulnerability is an unknown functionality of the component GTPv2 Bearer Response Handler. Such manipulation leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 98f76e98df35cd6a35e868aa62715db7f8141ac1. A patch should be applied to remediate this issue.
CVSS 5.3
CVE-2025-15529 WRITEUP MEDIUM WRITEUP
Open5GS < 2.7.6 - Denial of Service in sgwc_s5c_handle_create_session_response
A vulnerability was found in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c. Performing a manipulation results in denial of service. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named b19cf6a2dbf5d30811be4488bf059c865bd7d1d2. To fix this issue, it is recommended to deploy a patch.
CVSS 5.3
CVE-2025-15532 WRITEUP MEDIUM WRITEUP
Open5GS < 2.7.5 - Denial of Service in Timer Handler
A security flaw has been discovered in Open5GS up to 2.7.5. This issue affects some unknown processing of the component Timer Handler. The manipulation results in resource consumption. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The patch is identified as c7c131f8d2cb1195ada5e0e691b6868ebcd8a845. It is best practice to apply a patch to resolve this issue.
CVSS 5.3
CVE-2025-15539 WRITEUP MEDIUM WRITEUP
open5gs < 2.7.6 - Denial of Service in sgwc_s11_handle_downlink_data_notification_ack
A vulnerability was determined in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_downlink_data_notification_ack of the file src/sgwc/s11-handler.c of the component sgwc. This manipulation causes denial of service. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Patch name: b4707272c1caf6a7d4dca905694ea55557a0545f. To fix this issue, it is recommended to deploy a patch. The issue report is flagged as already-fixed.
CVSS 5.3