Volerion logoVolerion
Volerion logoVolerion

Open5GS SMF Component Denial-of-Service Vulnerability via Malformed NGAP Messages

Vulnerability

A denial-of-service vulnerability has been identified in the Session Management Function (SMF) component of Open5GS, prior to version 2.7.5. The issue arises from an assertion failure in the Protocol Configuration Options (PCO) parser, which can be exploited by remote attackers sending specially crafted NGAP messages with malformed length fields in the protocol configuration data. This exploitation causes the SMF process to crash, disrupting service.

Impact

Exploitation of this vulnerability leads to a critical crash of the SMF process, causing a service disruption.

Reproduction

The vulnerability can be reproduced by sending NGAP messages with malformed length fields in the Protocol Configuration Options data to an Open5GS SMF instance. This can be done using a network emulator or fuzzing tool that supports NGAP message manipulation. The SMF process will crash due to the assertion failure, as logged in the SMF error output.

Remediation

Users can update to Open5GS version 2.7.5 or later, where this vulnerability has been fixed.

Added: Apr 30, 2026, 8:24 PM
Updated: Apr 30, 2026, 8:24 PM

Vulnerability Rating

Custom Algorithm
spread
1.4
impact
2.5
exploitability
6.2
remediation
7.7
relevance
7.1
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.