Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2517 is a remote denial-of-service (DoS) vulnerability in the Session Management Function (SMF) component of Open5GS version 2.7.6. The flaw exists in the function ogs_gtp2_parse_tft within the source file lib/gtp/v2/types.c. It is triggered when the SMF receives a Bearer Resource Command message containing a malformed Traffic Aggregate Description (TAD) Information Element (IE), encoded as a Traffic Flow Template (TFT).'}, {'type': 'paragraph', 'content': "The vulnerability occurs because the packet filter's content length field (pf[0].content.length) is set to an excessively large value (e.g., 255), while the actual content bytes provided are much fewer. This causes the parser to read beyond the available buffer, leading to an internal assertion failure and crashing the SMF process."}, {'type': 'paragraph', 'content': 'An attacker can exploit this remotely without authentication by sending a crafted Bearer Resource Command message to cause the SMF to abort, resulting in denial of service.'}] [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited remotely by an attacker to cause the SMF process in Open5GS to crash, resulting in a denial of service. This means the affected service becomes unavailable or unresponsive, potentially disrupting network functions that rely on the SMF.

Since the SMF is a critical component in managing sessions in mobile networks, its unavailability can lead to service interruptions affecting users and network operations.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the SMF logs for assertion failures related to the parsing of Traffic Flow Template (TFT) within Bearer Resource Command messages on the S5-C interface. Specifically, look for logs indicating an assertion failure such as `size + len + sizeof(tft->pf[i].content.component[j].type) <= octet->len` and process crashes with SIGABRT signals.

Detection can also involve capturing and analyzing network traffic on the S5-C interface for Bearer Resource Command messages containing malformed Traffic Aggregate Description (TAD) Information Elements (IE) where the packet filter content length (`pf[0].content.length`) is set to an abnormally large value (e.g., 255) but the actual content bytes are fewer.

While no specific commands are provided in the resources, a practical approach includes using packet capture tools such as tcpdump or Wireshark to filter and inspect S5-C interface traffic for suspicious Bearer Resource Command messages. For example, you might use:

• tcpdump -i <interface> port <S5-C port> -w capture.pcap
• Then analyze capture.pcap in Wireshark to identify malformed TAD IEs with suspicious packet filter content lengths.

Additionally, monitoring the SMF process for unexpected crashes or restarts can indicate exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps are limited as no official patch or fix has been released by the Open5GS project yet.

Recommended immediate actions include:

• Monitor and restrict access to the S5-C interface to trusted and authenticated sources only, reducing exposure to remote attackers.
• Implement network-level filtering or intrusion detection/prevention systems (IDS/IPS) to detect and block malformed Bearer Resource Command messages with suspicious Traffic Aggregate Description IEs.
• Regularly monitor SMF logs for signs of assertion failures or crashes indicative of exploitation attempts.
• Consider temporarily disabling or isolating the vulnerable SMF component if feasible, or using alternative products or workarounds until a patch is available.

Useful 0 Not Useful 0