Vendor CVEs
Open5gs
All CVEs
173 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-8803 | 0.00 | — | 0.01 | Aug 10, 2025 | A vulnerability has been found in Open5GS up to 2.7.5. Affected is the function gmm_state_de_registered/gmm_state_exception of the file src/amf/gmm-sm.c of the component AMF. The manipulation leads to denial of service. It is possible to launch the attack remotely. Upgrading to… | |||
| CVE-2025-8802 | 0.00 | — | 0.01 | Aug 10, 2025 | A vulnerability was determined in Open5GS up to 2.7.5. This vulnerability affects the function smf_state_operational of the file src/smf/smf-sm.c of the component SMF. The manipulation of the argument stream leads to denial of service. The attack can be initiated remotely. The… | |||
| CVE-2025-8801 | 0.00 | — | 0.01 | Aug 10, 2025 | A vulnerability was found in Open5GS up to 2.7.5. This affects the function gmm_state_exception of the file src/amf/gmm-sm.c of the component AMF. The manipulation leads to denial of service. It is possible to initiate the attack remotely. The exploit has been disclosed to the… | |||
| CVE-2025-8800 | 0.00 | — | 0.01 | Aug 10, 2025 | A vulnerability has been found in Open5GS up to 2.7.5. Affected by this issue is the function esm_handle_pdn_connectivity_request of the file src/mme/esm-handler.c of the component AMF Component. The manipulation leads to denial of service. The attack may be launched remotely.… | |||
| CVE-2025-8799 | 0.00 | — | 0.01 | Aug 10, 2025 | A vulnerability was identified in Open5GS up to 2.7.5. Affected by this vulnerability is the function amf_npcf_am_policy_control_build_create/amf_nsmf_pdusession_build_create_sm_context of the file src/amf/npcf-build.c of the component AMF. The manipulation leads to denial of… | |||
| CVE-2025-7485 | 0.00 | — | 0.00 | Jul 12, 2025 | A vulnerability classified as problematic was found in Open5GS up to 2.7.3. Affected by this vulnerability is the function ngap_recv_handler/s1ap_recv_handler/recv_handler of the component SCTP Partial Message Handler. The manipulation leads to reachable assertion. The attack… | |||
| CVE-2025-6952 | 0.00 | — | 0.00 | Jul 1, 2025 | A vulnerability, which was classified as problematic, has been found in Open5GS up to 2.7.5. This issue affects the function amf_state_operational of the file src/amf/amf-sm.c of the component AMF Service. The manipulation leads to reachable assertion. It is possible to launch… | |||
| CVE-2025-44952 | 0.00 | — | 0.00 | Jun 18, 2025 | A missing length check in `ogs_pfcp_subnet_add` function from PFCP library, used by both smf and upf in open5gs 2.7.2 and earlier, allows a local attacker to cause a Buffer Overflow by changing the `session.dnn` field with a value with length greater than 101. | |||
| CVE-2025-44951 | 0.00 | — | 0.00 | Jun 18, 2025 | A missing length check in `ogs_pfcp_dev_add` function from PFCP library, used by both smf and upf in open5gs 2.7.2 and earlier, allows a local attacker to cause a Buffer Overflow by changing the `session.dev` field with a value with length greater than 32. | |||
| CVE-2025-29646 | 0.00 | — | 0.00 | Jun 18, 2025 | An issue in upf in open5gs 2.7.2 and earlier allows a remote attacker to cause a Denial of Service via a crafted PFCP SessionEstablishmentRequest packet with restoration indication = true and (teid = 0 or teid >= ogs_pfcp_pdr_teid_pool.size). | |||
| CVE-2025-5935 | 0.00 | — | 0.01 | Jun 10, 2025 | A vulnerability was found in Open5GS up to 2.7.3. It has been declared as problematic. Affected by this vulnerability is the function common_register_state of the file src/mme/emm-sm.c of the component AMF/MME. The manipulation of the argument ran_ue_id leads to denial of… | |||
| CVE-2025-5520 | 0.00 | — | 0.01 | Jun 3, 2025 | A vulnerability was found in Open5GS up to 2.7.3. It has been classified as problematic. Affected is the function gmm_state_authentication/emm_state_authentication of the component AMF/MME. The manipulation leads to reachable assertion. It is possible to launch the attack… | |||
| CVE-2025-5501 | 0.00 | — | 0.01 | Jun 3, 2025 | A vulnerability classified as problematic was found in Open5GS up to 2.7.3. Affected by this vulnerability is the function ngap_handle_path_switch_request_transfer of the file src/smf/ngap-handler.c of the component NGAP PathSwitchRequest Message Handler. The manipulation leads… | |||
| CVE-2025-25774 | 0.00 | — | 0.00 | Mar 12, 2025 | An issue was discovered in Open5GS v2.7.2. When a UE switches between two gNBs and sends a handover request at a specific time, it may cause an exception in the AMF's internal state machine, leading to an AMF crash and resulting in a Denial of Service (DoS). | |||
| CVE-2025-1925 | 0.00 | — | 0.01 | Mar 4, 2025 | A vulnerability classified as problematic was found in Open5GS up to 2.7.2. Affected by this vulnerability is the function amf_nsmf_pdusession_handle_update_sm_context of the file src/amf/nsmf-handler.c of the component AMF. The manipulation leads to denial of service. The… | |||
| CVE-2025-1893 | 0.00 | — | 0.01 | Mar 4, 2025 | A vulnerability was found in Open5GS up to 2.7.2. It has been declared as problematic. Affected by this vulnerability is the function gmm_state_authentication of the file src/amf/gmm-sm.c of the component AMF. The manipulation leads to denial of service. The attack can be… | |||
| CVE-2024-56921 | 0.00 | — | 0.00 | Feb 3, 2025 | An issue was discovered in Open5gs v2.7.2. InitialUEMessage, Registration request sent at a specific time can crash AMF due to incorrect error handling of gmm_state_exception() function upon receipt of the Nausf_UEAuthentication_Authenticate response. | |||
| CVE-2024-57519 | 0.00 | — | 0.01 | Jan 28, 2025 | An issue in Open5GS v.2.7.2 allows a remote attacker to cause a denial of service via the ogs_dbi_auth_info function in lib/dbi/subscription.c file. | |||
| CVE-2023-37011 | 0.00 | — | 0.00 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `Handover Required` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting in denial… | |||
| CVE-2023-37003 | 0.00 | — | 0.00 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `E-RAB Setup Response` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting in… | |||
| CVE-2023-37007 | 0.00 | — | 0.00 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `Handover Cancel` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting in denial of… | |||
| CVE-2023-37020 | 0.00 | — | 0.01 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `UE Context Release Complete` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting… | |||
| CVE-2023-37005 | 0.00 | — | 0.00 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `Initial Context Setup Failure` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME,… | |||
| CVE-2024-24432 | 0.00 | — | 0.00 | Jan 22, 2025 | A reachable assertion in the ogs_kdf_hash_mme function of Open5GS <= 2.6.4 allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet. | |||
| CVE-2023-37019 | 0.00 | — | 0.01 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `S1Setup Request` message missing a required `Supported TAs` field to repeatedly crash the MME, resulting in denial of… | |||
| CVE-2024-24429 | 0.00 | — | 0.01 | Jan 22, 2025 | A reachable assertion in the nas_eps_send_emm_to_esm function of Open5GS <= 2.6.4 allows attackers to cause a Denial of Service (DoS) via a crafted NGAP packet. | |||
| CVE-2023-37021 | 0.00 | — | 0.01 | Jan 22, 2025 | Open5GS MME version <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `UE Context Modification Failure` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME,… | |||
| CVE-2023-37014 | 0.00 | — | 0.01 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `UE Context Release Request` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting… | |||
| CVE-2023-37008 | 0.00 | — | 0.00 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contain a buffer overflow in the ASN.1 deserialization function of the S1AP handler. This buffer overflow causes type confusion in decoded fields, leading to invalid parsing and freeing of memory. An attacker may use this to crash an MME or… | |||
| CVE-2023-37002 | 0.00 | — | 0.00 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `E-RAB Modification Indication` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME,… | |||
| CVE-2023-37012 | 0.00 | — | 0.00 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `Initial UE Message` message missing a required `PLMN Identity` field to repeatedly crash the MME, resulting in denial… | |||
| CVE-2023-37023 | 0.00 | — | 0.01 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contain a reachable assertion in the `Uplink NAS Transport` packet handler. A packet missing its `MME_UE_S1AP_ID` field causes Open5gs to crash; an attacker may repeatedly send such packets to cause denial of service. | |||
| CVE-2023-37006 | 0.00 | — | 0.00 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `Handover Request Ack` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting in… | |||
| CVE-2023-37017 | 0.00 | — | 0.01 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `S1Setup Request` message missing a required `Global eNB ID` field to repeatedly crash the MME, resulting in denial of… | |||
| CVE-2024-24430 | 0.00 | — | 0.01 | Jan 22, 2025 | A reachable assertion in the mme_ue_find_by_imsi function of Open5GS <= 2.6.4 allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet. | |||
| CVE-2023-37016 | 0.00 | — | 0.01 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `UE Context Modification Response` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME,… | |||
| CVE-2023-37018 | 0.00 | — | 0.01 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `UE Capability Info Indication` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME,… | |||
| CVE-2023-37004 | 0.00 | — | 0.00 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `Initial Context Setup Response` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME,… | |||
| CVE-2023-37013 | 0.00 | — | 0.01 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a sufficiently large ASN.1 packet over the S1AP interface. An attacker may repeatedly send such an oversized packet to cause the `ogs_sctp_recvmsg` routine to reach an unexpected network state… | |||
| CVE-2023-37015 | 0.00 | — | 0.01 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `Path Switch Request` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting in… | |||
| CVE-2024-34235 | 0.00 | — | 0.01 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `Initial UE Message` missing a required `NAS_PDU` field to repeatedly crash the MME, resulting in denial of service. | |||
| CVE-2023-37010 | 0.00 | — | 0.00 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `eNB Status Transfer` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting in… | |||
| CVE-2023-37022 | 0.00 | — | 0.01 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contain a reachable assertion in the `UE Context Release Request` packet handler. A packet containing an invalid `MME_UE_S1AP_ID` field causes Open5gs to crash; an attacker may repeatedly send such packets to cause denial of service. | |||
| CVE-2023-37009 | 0.00 | — | 0.00 | Jan 22, 2025 | Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `Handover Notification` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting in… | |||
| CVE-2024-24427 | 0.00 | — | 0.00 | Jan 21, 2025 | A reachable assertion in the amf_ue_set_suci function of Open5GS <= 2.6.4 allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet. | |||
| CVE-2024-24428 | 0.00 | — | 0.00 | Jan 21, 2025 | A reachable assertion in the oai_nas_5gmm_decode function of Open5GS <= 2.6.4 allows attackers to cause a Denial of Service (DoS) via a crafted NGAP packet. | |||
| CVE-2024-24431 | 0.00 | — | 0.01 | Nov 15, 2024 | A reachable assertion in the ogs_nas_emm_decode function of Open5GS v2.7.0 allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet with a zero-length EMM message length. | |||
| CVE-2024-40129 | 0.00 | — | 0.00 | Jul 16, 2024 | Open5GS v2.6.4 is vulnerable to Buffer Overflow. via /lib/pfcp/context.c. | |||
| CVE-2024-40130 | 0.00 | — | 0.01 | Jul 16, 2024 | open5gs v2.6.4 is vulnerable to Buffer Overflow. via /lib/core/abts.c. | |||
| CVE-2024-33382 | 0.00 | — | 0.00 | May 8, 2024 | An issue in Open5GS v.2.7.0 allows an attacker to cause a denial of service via the 64 unsuccessful UE/gnb registration |
- CVE-2025-8803Aug 10, 2025risk 0.00cvss —epss 0.01
A vulnerability has been found in Open5GS up to 2.7.5. Affected is the function gmm_state_de_registered/gmm_state_exception of the file src/amf/gmm-sm.c of the component AMF. The manipulation leads to denial of service. It is possible to launch the attack remotely. Upgrading to…
- CVE-2025-8802Aug 10, 2025risk 0.00cvss —epss 0.01
A vulnerability was determined in Open5GS up to 2.7.5. This vulnerability affects the function smf_state_operational of the file src/smf/smf-sm.c of the component SMF. The manipulation of the argument stream leads to denial of service. The attack can be initiated remotely. The…
- CVE-2025-8801Aug 10, 2025risk 0.00cvss —epss 0.01
A vulnerability was found in Open5GS up to 2.7.5. This affects the function gmm_state_exception of the file src/amf/gmm-sm.c of the component AMF. The manipulation leads to denial of service. It is possible to initiate the attack remotely. The exploit has been disclosed to the…
- CVE-2025-8800Aug 10, 2025risk 0.00cvss —epss 0.01
A vulnerability has been found in Open5GS up to 2.7.5. Affected by this issue is the function esm_handle_pdn_connectivity_request of the file src/mme/esm-handler.c of the component AMF Component. The manipulation leads to denial of service. The attack may be launched remotely.…
- CVE-2025-8799Aug 10, 2025risk 0.00cvss —epss 0.01
A vulnerability was identified in Open5GS up to 2.7.5. Affected by this vulnerability is the function amf_npcf_am_policy_control_build_create/amf_nsmf_pdusession_build_create_sm_context of the file src/amf/npcf-build.c of the component AMF. The manipulation leads to denial of…
- CVE-2025-7485Jul 12, 2025risk 0.00cvss —epss 0.00
A vulnerability classified as problematic was found in Open5GS up to 2.7.3. Affected by this vulnerability is the function ngap_recv_handler/s1ap_recv_handler/recv_handler of the component SCTP Partial Message Handler. The manipulation leads to reachable assertion. The attack…
- CVE-2025-6952Jul 1, 2025risk 0.00cvss —epss 0.00
A vulnerability, which was classified as problematic, has been found in Open5GS up to 2.7.5. This issue affects the function amf_state_operational of the file src/amf/amf-sm.c of the component AMF Service. The manipulation leads to reachable assertion. It is possible to launch…
- CVE-2025-44952Jun 18, 2025risk 0.00cvss —epss 0.00
A missing length check in `ogs_pfcp_subnet_add` function from PFCP library, used by both smf and upf in open5gs 2.7.2 and earlier, allows a local attacker to cause a Buffer Overflow by changing the `session.dnn` field with a value with length greater than 101.
- CVE-2025-44951Jun 18, 2025risk 0.00cvss —epss 0.00
A missing length check in `ogs_pfcp_dev_add` function from PFCP library, used by both smf and upf in open5gs 2.7.2 and earlier, allows a local attacker to cause a Buffer Overflow by changing the `session.dev` field with a value with length greater than 32.
- CVE-2025-29646Jun 18, 2025risk 0.00cvss —epss 0.00
An issue in upf in open5gs 2.7.2 and earlier allows a remote attacker to cause a Denial of Service via a crafted PFCP SessionEstablishmentRequest packet with restoration indication = true and (teid = 0 or teid >= ogs_pfcp_pdr_teid_pool.size).
- CVE-2025-5935Jun 10, 2025risk 0.00cvss —epss 0.01
A vulnerability was found in Open5GS up to 2.7.3. It has been declared as problematic. Affected by this vulnerability is the function common_register_state of the file src/mme/emm-sm.c of the component AMF/MME. The manipulation of the argument ran_ue_id leads to denial of…
- CVE-2025-5520Jun 3, 2025risk 0.00cvss —epss 0.01
A vulnerability was found in Open5GS up to 2.7.3. It has been classified as problematic. Affected is the function gmm_state_authentication/emm_state_authentication of the component AMF/MME. The manipulation leads to reachable assertion. It is possible to launch the attack…
- CVE-2025-5501Jun 3, 2025risk 0.00cvss —epss 0.01
A vulnerability classified as problematic was found in Open5GS up to 2.7.3. Affected by this vulnerability is the function ngap_handle_path_switch_request_transfer of the file src/smf/ngap-handler.c of the component NGAP PathSwitchRequest Message Handler. The manipulation leads…
- CVE-2025-25774Mar 12, 2025risk 0.00cvss —epss 0.00
An issue was discovered in Open5GS v2.7.2. When a UE switches between two gNBs and sends a handover request at a specific time, it may cause an exception in the AMF's internal state machine, leading to an AMF crash and resulting in a Denial of Service (DoS).
- CVE-2025-1925Mar 4, 2025risk 0.00cvss —epss 0.01
A vulnerability classified as problematic was found in Open5GS up to 2.7.2. Affected by this vulnerability is the function amf_nsmf_pdusession_handle_update_sm_context of the file src/amf/nsmf-handler.c of the component AMF. The manipulation leads to denial of service. The…
- CVE-2025-1893Mar 4, 2025risk 0.00cvss —epss 0.01
A vulnerability was found in Open5GS up to 2.7.2. It has been declared as problematic. Affected by this vulnerability is the function gmm_state_authentication of the file src/amf/gmm-sm.c of the component AMF. The manipulation leads to denial of service. The attack can be…
- CVE-2024-56921Feb 3, 2025risk 0.00cvss —epss 0.00
An issue was discovered in Open5gs v2.7.2. InitialUEMessage, Registration request sent at a specific time can crash AMF due to incorrect error handling of gmm_state_exception() function upon receipt of the Nausf_UEAuthentication_Authenticate response.
- CVE-2024-57519Jan 28, 2025risk 0.00cvss —epss 0.01
An issue in Open5GS v.2.7.2 allows a remote attacker to cause a denial of service via the ogs_dbi_auth_info function in lib/dbi/subscription.c file.
- CVE-2023-37011Jan 22, 2025risk 0.00cvss —epss 0.00
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `Handover Required` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting in denial…
- CVE-2023-37003Jan 22, 2025risk 0.00cvss —epss 0.00
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `E-RAB Setup Response` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting in…
- CVE-2023-37007Jan 22, 2025risk 0.00cvss —epss 0.00
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `Handover Cancel` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting in denial of…
- CVE-2023-37020Jan 22, 2025risk 0.00cvss —epss 0.01
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `UE Context Release Complete` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting…
- CVE-2023-37005Jan 22, 2025risk 0.00cvss —epss 0.00
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `Initial Context Setup Failure` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME,…
- CVE-2024-24432Jan 22, 2025risk 0.00cvss —epss 0.00
A reachable assertion in the ogs_kdf_hash_mme function of Open5GS <= 2.6.4 allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet.
- CVE-2023-37019Jan 22, 2025risk 0.00cvss —epss 0.01
Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `S1Setup Request` message missing a required `Supported TAs` field to repeatedly crash the MME, resulting in denial of…
- CVE-2024-24429Jan 22, 2025risk 0.00cvss —epss 0.01
A reachable assertion in the nas_eps_send_emm_to_esm function of Open5GS <= 2.6.4 allows attackers to cause a Denial of Service (DoS) via a crafted NGAP packet.
- CVE-2023-37021Jan 22, 2025risk 0.00cvss —epss 0.01
Open5GS MME version <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `UE Context Modification Failure` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME,…
- CVE-2023-37014Jan 22, 2025risk 0.00cvss —epss 0.01
Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `UE Context Release Request` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting…
- CVE-2023-37008Jan 22, 2025risk 0.00cvss —epss 0.00
Open5GS MME versions <= 2.6.4 contain a buffer overflow in the ASN.1 deserialization function of the S1AP handler. This buffer overflow causes type confusion in decoded fields, leading to invalid parsing and freeing of memory. An attacker may use this to crash an MME or…
- CVE-2023-37002Jan 22, 2025risk 0.00cvss —epss 0.00
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `E-RAB Modification Indication` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME,…
- CVE-2023-37012Jan 22, 2025risk 0.00cvss —epss 0.00
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `Initial UE Message` message missing a required `PLMN Identity` field to repeatedly crash the MME, resulting in denial…
- CVE-2023-37023Jan 22, 2025risk 0.00cvss —epss 0.01
Open5GS MME versions <= 2.6.4 contain a reachable assertion in the `Uplink NAS Transport` packet handler. A packet missing its `MME_UE_S1AP_ID` field causes Open5gs to crash; an attacker may repeatedly send such packets to cause denial of service.
- CVE-2023-37006Jan 22, 2025risk 0.00cvss —epss 0.00
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `Handover Request Ack` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting in…
- CVE-2023-37017Jan 22, 2025risk 0.00cvss —epss 0.01
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `S1Setup Request` message missing a required `Global eNB ID` field to repeatedly crash the MME, resulting in denial of…
- CVE-2024-24430Jan 22, 2025risk 0.00cvss —epss 0.01
A reachable assertion in the mme_ue_find_by_imsi function of Open5GS <= 2.6.4 allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet.
- CVE-2023-37016Jan 22, 2025risk 0.00cvss —epss 0.01
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `UE Context Modification Response` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME,…
- CVE-2023-37018Jan 22, 2025risk 0.00cvss —epss 0.01
Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `UE Capability Info Indication` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME,…
- CVE-2023-37004Jan 22, 2025risk 0.00cvss —epss 0.00
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `Initial Context Setup Response` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME,…
- CVE-2023-37013Jan 22, 2025risk 0.00cvss —epss 0.01
Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a sufficiently large ASN.1 packet over the S1AP interface. An attacker may repeatedly send such an oversized packet to cause the `ogs_sctp_recvmsg` routine to reach an unexpected network state…
- CVE-2023-37015Jan 22, 2025risk 0.00cvss —epss 0.01
Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `Path Switch Request` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting in…
- CVE-2024-34235Jan 22, 2025risk 0.00cvss —epss 0.01
Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `Initial UE Message` missing a required `NAS_PDU` field to repeatedly crash the MME, resulting in denial of service.
- CVE-2023-37010Jan 22, 2025risk 0.00cvss —epss 0.00
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `eNB Status Transfer` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting in…
- CVE-2023-37022Jan 22, 2025risk 0.00cvss —epss 0.01
Open5GS MME versions <= 2.6.4 contain a reachable assertion in the `UE Context Release Request` packet handler. A packet containing an invalid `MME_UE_S1AP_ID` field causes Open5gs to crash; an attacker may repeatedly send such packets to cause denial of service.
- CVE-2023-37009Jan 22, 2025risk 0.00cvss —epss 0.00
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `Handover Notification` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting in…
- CVE-2024-24427Jan 21, 2025risk 0.00cvss —epss 0.00
A reachable assertion in the amf_ue_set_suci function of Open5GS <= 2.6.4 allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet.
- CVE-2024-24428Jan 21, 2025risk 0.00cvss —epss 0.00
A reachable assertion in the oai_nas_5gmm_decode function of Open5GS <= 2.6.4 allows attackers to cause a Denial of Service (DoS) via a crafted NGAP packet.
- CVE-2024-24431Nov 15, 2024risk 0.00cvss —epss 0.01
A reachable assertion in the ogs_nas_emm_decode function of Open5GS v2.7.0 allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet with a zero-length EMM message length.
- CVE-2024-40129Jul 16, 2024risk 0.00cvss —epss 0.00
Open5GS v2.6.4 is vulnerable to Buffer Overflow. via /lib/pfcp/context.c.
- CVE-2024-40130Jul 16, 2024risk 0.00cvss —epss 0.01
open5gs v2.6.4 is vulnerable to Buffer Overflow. via /lib/core/abts.c.
- CVE-2024-33382May 8, 2024risk 0.00cvss —epss 0.00
An issue in Open5GS v.2.7.0 allows an attacker to cause a denial of service via the 64 unsuccessful UE/gnb registration
Page 3 of 4