CVE-2025-15531
BaseFortify
Publication date: 2026-01-17
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15531 is a denial-of-service vulnerability in Open5GS's Serving Gateway Control plane (SGW-C) up to version 2.7.5. The issue occurs in the function sgwc_bearer_add when the system tries to allocate a new bearer but the bearer pool is exhausted, causing the allocation to return NULL. The code then triggers an assertion failure on this NULL pointer, which causes the SGW-C process to crash. This vulnerability can be exploited remotely without authentication by sending many bearer creation requests that exceed the bearer pool limit, leading to a fatal assertion and crash of the SGW-C component. [1, 2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability results in a denial of service (DoS) condition by crashing the Open5GS SGW-C process. This disrupts the availability of the mobile network session management, potentially causing service outages or interruptions for users relying on the affected network component. Since the attack can be performed remotely without authentication, it poses a significant risk to network stability and reliability. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the SGW-C logs for fatal assertion failure messages related to bearer allocation, specifically messages indicating an assertion failure in the function sgwc_bearer_add at context.c:560. Detection involves observing crashes or aborts of the SGW-C process triggered by bearer pool exhaustion. Additionally, network monitoring can focus on unusually high volumes of CreateSessionRequest messages over the S11 interface, which are used in the proof-of-concept exploit to exhaust the bearer pool. While no specific commands are provided, checking the SGW-C log file (commonly at /var/log/open5gs/sgwc.log) for fatal assertion errors and monitoring GTPv2 CreateSessionRequest traffic on the S11 interface would be practical steps. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Open5GS to version 2.7.6 or later, where this vulnerability has been fixed. Since the issue is caused by improper handling of bearer pool exhaustion leading to assertion failure and crash, updating to the fixed version prevents the denial of service. Additionally, monitoring and limiting the number of CreateSessionRequest messages and bearer allocations to avoid exhausting the bearer pool can help reduce risk until the update is applied. No other specific mitigations or workarounds are recommended at the time of disclosure. [1, 2, 3]