Mitigation Strategies

The immediate mitigation step is to apply the patch identified by commit c7c131f8d2cb1195ada5e0e691b6868ebcd8a845, which replaces fatal assertions on resource exhaustion with graceful error handling, preventing process crashes. Until the patch is applied, administrators should monitor and limit the rate of incoming GTPv2 Create Session Requests to the SGW-C to avoid resource exhaustion. Implementing network-level rate limiting or filtering to block or throttle excessive CSR messages can reduce the risk of exploitation. Additionally, monitoring system logs for early signs of resource exhaustion or assertion failures can help in taking proactive measures. Ultimately, upgrading Open5GS to version 2.7.6 or later with the fix applied is recommended to fully resolve the issue. [1, 2, 3, 5, 6]

Useful 0 Not Useful 0

Executive Summary

CVE-2025-15532 is a remote Denial of Service (DoS) vulnerability in the Open5GS Serving Gateway Control plane (SGW-C) component. It occurs when the SGW-C is flooded with a rapid sequence of GTPv2 Create Session Request (CSR) messages, which exhausts internal resources such as the UE/session context pool and timer pools. This resource exhaustion leads to fatal assertion failures in the code, causing the SGW-C process to abort and crash, resulting in a complete service outage. The root cause is improper handling of resource exhaustion, where instead of gracefully rejecting excessive requests, the system crashes due to unhandled allocation failures and assertions. A proof-of-concept exploit exists that sends multiple CSR messages with varying parameters to trigger this condition. [1, 2, 3, 6]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a complete denial of service on the Open5GS SGW-C component by crashing the process handling session creation. An attacker can remotely exploit this by flooding the SGW-C with numerous GTPv2 Create Session Requests, exhausting critical resources and causing fatal assertion failures that abort the service. This results in service outages and disruption of network operations relying on Open5GS, impacting availability and potentially causing downtime until the service is restarted or patched. [1, 2, 3, 6]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for abnormal crashes or core dumps of the open5gs-sgwcd process, especially following a rapid influx of GTPv2 Create Session Request (CSR) messages. Logs may show fatal assertion failures such as `sgwc_ue_add: Assertion 'sgwc_ue' failed` or `ogs_pool_alloc()` failures in timer allocation functions. Detection can also involve capturing and analyzing network traffic for unusually high volumes of GTPv2 CSR packets sent to the SGW-C's GTP-C interface (UDP port 2123). While no specific commands are provided, network administrators can use packet capture tools like tcpdump or Wireshark to filter GTPv2 CSR messages (e.g., `tcpdump -i <interface> udp port 2123 and 'gtpv2'`) and monitor system logs for process aborts or core dumps related to open5gs-sgwcd. [1, 2, 3, 6]

Useful 0 Not Useful 0