Primary

Context

Magma Mobile Management Entity Null Pointer Dereference Vulnerability via S1AP eNB Configuration Transfer Packet

Vulnerability

Patched

A null pointer dereference vulnerability has been identified in the Mobile Management Entity (MME) of Magma versions through 1.8.0. This vulnerability allows network-adjacent attackers to crash the MME by sending an S1AP 'eNB Configuration Transfer' packet that omits the required 'Target eNB ID' field. The issue has been fixed in Magma version 1.9.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the affected MME.

Reproduction

To reproduce this vulnerability, send an S1AP 'eNB Configuration Transfer' packet to the Magma MME. Ensure that the packet is missing the 'Target eNB ID' field. This can be done by using a software-defined radio (SDR) or, due to a recent change in how these packets are handled, by sending the packet over the Internet.

Remediation

Users can upgrade to Magma version 1.9 or later to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

2.5

exploitability

6.2

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

2.5

exploitability

6.2

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Magma Mobile Management Entity Null Pointer Dereference Vulnerability via S1AP eNB Configuration Transfer Packet

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Magma

Open5GS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating