Low severity3.3NVD Advisory· Published Jan 2, 2026· Updated Apr 29, 2026

CVE-2025-15418

Description

A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function ogs_gtp2_parse_bearer_qos in the library lib/gtp/v2/types.c of the component Bearer QoS IE Length Handler. Performing a manipulation results in denial of service. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is named 4e913d21f2c032b187815f063dbab5ebe65fe83a. To fix this issue, it is recommended to deploy a patch.

Affected products

Open5gs/Open5gs
cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*
Range: <=2.7.6

Patches

4e913d21f2c0

gtp: avoid fatal assert on malformed Bearer/Flow QoS IEs

https://github.com/open5gs/open5gsSukchan LeeDec 25, 2025via nvd-ref

commit

3 files changed · +35 −7

lib/gtp/v2/types.c+13 −2 modified

@@ -31,7 +31,13 @@ int16_t ogs_gtp2_parse_bearer_qos(
 
     ogs_assert(bearer_qos);
     ogs_assert(octet);
-    ogs_assert(octet->len == GTP2_BEARER_QOS_LEN);
+
+    /* Validate IE length instead of asserting */
+    if (octet->len != GTP2_BEARER_QOS_LEN) {
+        ogs_error("Invalid Bearer QoS IE length [%u], expected [%u]",
+                octet->len, GTP2_BEARER_QOS_LEN);
+        return 0;
+    }
 
     source = (ogs_gtp2_bearer_qos_t *)octet->data;
 
@@ -208,7 +214,12 @@ int16_t ogs_gtp2_parse_flow_qos(
 
     ogs_assert(flow_qos);
     ogs_assert(octet);
-    ogs_assert(octet->len == GTP2_FLOW_QOS_LEN);
+
+    if (octet->len != GTP2_FLOW_QOS_LEN) {
+        ogs_error("Invalid Flow QoS IE length [%u], expected [%u]",
+                octet->len, GTP2_FLOW_QOS_LEN);
+        return 0;
+    }
 
     source = (ogs_gtp2_flow_qos_t *)octet->data;

src/sgwc/s11-handler.c+8 −2 modified

@@ -293,6 +293,8 @@ void sgwc_s11_handle_create_session_request(
     /* Check if selected SGW-U is associated with SGW-C */
     ogs_assert(sess->pfcp_node);
     if (!OGS_FSM_CHECK(&sess->pfcp_node->sm, sgwc_pfcp_state_associated)) {
+        ogs_error("[%s:%s] Remote peer not responding",
+                  sgwc_ue->imsi_bcd, sess->session.name);
         cause_value = OGS_GTP2_CAUSE_REMOTE_PEER_NOT_RESPONDING;
         goto cleanup;
     }
@@ -316,8 +318,12 @@ void sgwc_s11_handle_create_session_request(
 
         decoded = ogs_gtp2_parse_bearer_qos(&bearer_qos,
                 &req->bearer_contexts_to_be_created[i].bearer_level_qos);
-        ogs_assert(decoded ==
-                req->bearer_contexts_to_be_created[i].bearer_level_qos.len);
+        if (GTP2_BEARER_QOS_LEN != decoded) {
+            ogs_error("Invalid Bearer QoS IE in Create Session Request "
+                    "(decoded=%d, expected=%d)", decoded, GTP2_BEARER_QOS_LEN);
+            cause_value = OGS_GTP2_CAUSE_MANDATORY_IE_INCORRECT;
+            goto cleanup;
+        }
 
         bearer = sgwc_bearer_add(sess);
         ogs_assert(bearer);

src/smf/s5c-handler.c+14 −3 modified

@@ -344,8 +344,11 @@ uint8_t smf_s5c_handle_create_session_request(
 
         decoded = ogs_gtp2_parse_bearer_qos(&bearer_qos,
                 &req->bearer_contexts_to_be_created[i].bearer_level_qos);
-        ogs_assert(decoded ==
-                req->bearer_contexts_to_be_created[i].bearer_level_qos.len);
+        if (GTP2_BEARER_QOS_LEN != decoded) {
+            ogs_error("Invalid Bearer QoS IE in Create Session Request "
+                    "(decoded=%d, expected=%d)", decoded, GTP2_BEARER_QOS_LEN);
+            return OGS_GTP2_CAUSE_MANDATORY_IE_INCORRECT;
+        }
 
         bearer = smf_bearer_add(sess);
         ogs_assert(bearer);
@@ -1488,7 +1491,15 @@ void smf_s5c_handle_bearer_resource_command(
 
         decoded = ogs_gtp2_parse_flow_qos(
                 &flow_qos, &cmd->flow_quality_of_service);
-        ogs_assert(cmd->flow_quality_of_service.len == decoded);
+        if (GTP2_FLOW_QOS_LEN != decoded) {
+            ogs_error("Invalid Flow QoS IE length (decoded=%d, ie_len=%u)",
+                      decoded, GTP2_FLOW_QOS_LEN);
+            ogs_gtp2_send_error_message(
+                    xact, get_sender_f_teid(sess, sender_f_teid),
+                    OGS_GTP2_BEARER_RESOURCE_FAILURE_INDICATION_TYPE,
+                    OGS_GTP2_CAUSE_INVALID_MESSAGE_FORMAT);
+            return;
+        }
 
         bearer->qos.mbr.uplink = flow_qos.ul_mbr;
         bearer->qos.mbr.downlink = flow_qos.dl_mbr;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/open5gs/open5gs/commit/4e913d21f2c032b187815f063dbab5ebe65fe83anvdPatch
github.com/open5gs/open5gs/issues/4217nvdExploitIssue TrackingVendor Advisory
github.com/open5gs/open5gs/issues/4217nvdExploitIssue TrackingVendor Advisory
github.com/open5gs/open5gs/issues/4217nvdExploitIssue TrackingVendor Advisory
vuldb.comnvdThird Party AdvisoryVDB Entry
vuldb.comnvdThird Party AdvisoryVDB Entry
vuldb.comnvdPermissions RequiredVDB Entry

News mentions

No linked articles in our index yet.

cvss	0.214
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000