CVE-2025-15555
Stack-Based Buffer Overflow in Open5GS VoLTE Cx-Test Component
Publication date: 2026-02-04
Last updated on: 2026-04-07
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-15555 is a stack-based buffer overflow vulnerability in Open5GS versions up to 2.7.6, specifically in the VoLTE Cx-Test component within the function hss_ogs_diam_cx_mar_cb in the file src/hss/hss-cx-path.c.'}, {'type': 'paragraph', 'content': "The issue arises because a buffer named 'ak' is allocated with a length defined by OGS_AK_LEN, but during logging, it is incorrectly logged using a longer length OGS_KEY_LEN. This mismatch causes the logging function to read beyond the allocated buffer boundary, resulting in a stack buffer over-read."}, {'type': 'paragraph', 'content': 'This flaw was detected by Address Sanitizer during testing and can be triggered remotely without authentication. The vulnerability has been fixed by changing the logging call to use the correct buffer length.'}] [1, 2, 3, 4]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can impact the confidentiality, integrity, and availability of the affected system.'}, {'type': 'paragraph', 'content': 'Because it is a stack-based buffer overflow exploitable remotely without authentication, an attacker could potentially cause application instability, crash the service, or leak sensitive information from memory.'}, {'type': 'paragraph', 'content': "The vulnerability's high severity score (CVSSv3 base score 7.3) reflects the significant risk it poses if exploited."}] [2, 3, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by compiling Open5GS with Address Sanitizer (ASAN) enabled and running the VoLTE cx-test located in build/tests/volte/volte. The AddressSanitizer will report a stack-buffer-overflow error on the 'ak' variable during the execution of the function hss_ogs_diam_cx_mar_cb."}, {'type': 'paragraph', 'content': 'Specifically, the ASAN error message indicates a stack buffer overread caused by a mismatch in buffer length parameters during logging.'}, {'type': 'paragraph', 'content': 'A suggested command to detect the issue is to run the VoLTE cx-test with ASAN enabled, for example:'}, {'type': 'list_item', 'content': 'Compile Open5GS with Address Sanitizer enabled (e.g., using -fsanitize=address compiler flag).'}, {'type': 'list_item', 'content': 'Run the test executable located at build/tests/volte/volte.'}, {'type': 'list_item', 'content': "Observe the ASAN output for stack-buffer-overflow errors related to the 'ak' buffer in hss_ogs_diam_cx_mar_cb."}] [4, 1, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to apply the patch identified by commit 54dda041211098730221d0ae20a2f9f9173e7a21 available on the Open5GS GitHub repository.
This patch fixes the vulnerability by correcting the logging function call in src/hss/hss-cx-path.c, changing the length parameter from OGS_KEY_LEN to OGS_AK_LEN to prevent the stack buffer overread.
Additionally, updating Open5GS to a version later than 2.7.6 where this fix is included is recommended.