Executive Summary

CVE-2026-2523 is a vulnerability in Open5GS versions up to 2.7.6, specifically in the Session Management Function (SMF) component within the function smf_gn_handle_create_pdp_context_request. The issue occurs when the SMF receives a GTPv1-C CreatePDPContextRequest message that omits the mandatory End User Address (EUA) Information Element (IE). Although the request passes initial mandatory IE checks, the SMF later dereferences the EUA field without verifying its presence, triggering an assertion failure.

This assertion failure causes the open5gs-smfd process to abort unexpectedly, resulting in a denial of service (DoS) condition. The vulnerability can be exploited remotely without authentication by sending a specially crafted CreatePDPContextRequest message missing the EUA IE. A proof-of-concept exploit is publicly available.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a remote denial of service (DoS) on the Open5GS SMF Gn interface. By sending a malformed CreatePDPContextRequest message missing the mandatory End User Address IE, an attacker can trigger an assertion failure that crashes the SMF process.

The impact is a disruption of service availability, as the SMF process aborts and stops handling legitimate requests. Since the attack requires no authentication and can be launched remotely, it poses a moderate risk to network stability and service continuity.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or assertion failures in the Open5GS SMF process, specifically the open5gs-smfd service. Logs showing assertion failures at gn-handler.c line 246 related to the missing End User Address (EUA) Information Element in CreatePDPContextRequest messages indicate exploitation attempts.

Network detection can be performed by capturing and analyzing GTPv1-C CreatePDPContextRequest messages on UDP port 2123 to identify malformed requests missing the mandatory EUA IE.

A practical detection approach is to use packet capture tools like tcpdump or Wireshark to filter GTP-C traffic and inspect CreatePDPContextRequest messages for missing EUA IE.

• Use tcpdump to capture GTP-C traffic on the SMF Gn interface port (default UDP 2123):
• tcpdump -i <interface> udp port 2123 -w capture.pcap
• Analyze the capture with Wireshark or similar tools to inspect CreatePDPContextRequest messages for missing EUA IE.
• Monitor system logs for assertion failures or process crashes related to open5gs-smfd, e.g., using journalctl or syslog:
• journalctl -u open5gs-smfd -f

Useful 0 Not Useful 0

Mitigation Strategies

Currently, no official fix or patch has been released by the Open5GS project for this vulnerability.

Immediate mitigation steps include:

• Consider deploying network-level protections such as firewall rules or intrusion prevention systems to block or filter malformed GTPv1-C CreatePDPContextRequest messages that omit the mandatory EUA IE.
• Monitor the SMF service for crashes and restart it promptly to minimize downtime.
• If possible, restrict access to the SMF Gn interface (UDP port 2123) to trusted sources only.
• Consider using alternative products or versions not affected by this vulnerability until an official patch is available.

Useful 0 Not Useful 0