CVE-2025-15555
Unknown Unknown - Not Provided
Stack-Based Buffer Overflow in Open5GS VoLTE Cx-Test Component

Publication date: 2026-02-04

Last updated on: 2026-04-07

Assigner: VulDB

Description
A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function hss_ogs_diam_cx_mar_cb of the file src/hss/hss-cx-path.c of the component VoLTE Cx-Test. The manipulation of the argument OGS_KEY_LEN results in stack-based buffer overflow. The attack may be launched remotely. The patch is identified as 54dda041211098730221d0ae20a2f9f9173e7a21. A patch should be applied to remediate this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15555
EUVD
EUVD-2025-206778
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open5gs open5gs to 2.7.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-15555 is a stack-based buffer overflow vulnerability in Open5GS versions up to 2.7.6, specifically in the VoLTE Cx-Test component within the function hss_ogs_diam_cx_mar_cb in the file src/hss/hss-cx-path.c.'}, {'type': 'paragraph', 'content': "The issue arises because a buffer named 'ak' is allocated with a length defined by OGS_AK_LEN, but during logging, it is incorrectly logged using a longer length OGS_KEY_LEN. This mismatch causes the logging function to read beyond the allocated buffer boundary, resulting in a stack buffer over-read."}, {'type': 'paragraph', 'content': 'This flaw was detected by Address Sanitizer during testing and can be triggered remotely without authentication. The vulnerability has been fixed by changing the logging call to use the correct buffer length.'}] [1, 2, 3, 4]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can impact the confidentiality, integrity, and availability of the affected system.'}, {'type': 'paragraph', 'content': 'Because it is a stack-based buffer overflow exploitable remotely without authentication, an attacker could potentially cause application instability, crash the service, or leak sensitive information from memory.'}, {'type': 'paragraph', 'content': "The vulnerability's high severity score (CVSSv3 base score 7.3) reflects the significant risk it poses if exploited."}] [2, 3, 4]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by compiling Open5GS with Address Sanitizer (ASAN) enabled and running the VoLTE cx-test located in build/tests/volte/volte. The AddressSanitizer will report a stack-buffer-overflow error on the 'ak' variable during the execution of the function hss_ogs_diam_cx_mar_cb."}, {'type': 'paragraph', 'content': 'Specifically, the ASAN error message indicates a stack buffer overread caused by a mismatch in buffer length parameters during logging.'}, {'type': 'paragraph', 'content': 'A suggested command to detect the issue is to run the VoLTE cx-test with ASAN enabled, for example:'}, {'type': 'list_item', 'content': 'Compile Open5GS with Address Sanitizer enabled (e.g., using -fsanitize=address compiler flag).'}, {'type': 'list_item', 'content': 'Run the test executable located at build/tests/volte/volte.'}, {'type': 'list_item', 'content': "Observe the ASAN output for stack-buffer-overflow errors related to the 'ak' buffer in hss_ogs_diam_cx_mar_cb."}] [4, 1, 3]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to apply the patch identified by commit 54dda041211098730221d0ae20a2f9f9173e7a21 available on the Open5GS GitHub repository.

This patch fixes the vulnerability by correcting the logging function call in src/hss/hss-cx-path.c, changing the length parameter from OGS_KEY_LEN to OGS_AK_LEN to prevent the stack buffer overread.

Additionally, updating Open5GS to a version later than 2.7.6 where this fix is included is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15555. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart