Primary

Context

Open5GS SMF Component Null Pointer Dereference Vulnerability

Vulnerability

A null pointer dereference vulnerability has been identified in Open5GS versions through 2.7.7, specifically within the SMF component's function 'smf_nsmf_handle_create_data_in_hsmf'. The vulnerability arises when a 'PduSessionCreateData' request is sent without the 'vcnTunnelInfo' field. The SMF component crashes due to the missing information, as the code improperly handles the absence of 'vcnTunnelInfo' by attempting to log an error, which inadvertently leads to a crash. This issue can be exploited remotely, causing the SMF process to exit unexpectedly.

Impact

Exploitation of this vulnerability causes the SMF process to crash, disrupting service and potentially leading to a denial of service condition.

Reproduction

To reproduce this vulnerability, send a 'PduSessionCreateData' request to the 'POST /nsmf-pdusession/v1/pdu-sessions' endpoint without including the 'vcnTunnelInfo' field. The SMF component will crash, exiting with a code that indicates a segmentation fault, which is typical for a null pointer dereference.

Added: May 11, 2026, 12:19 AM

Updated: May 11, 2026, 12:19 AM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

2.5

exploitability

9.1

remediation

0.0

relevance

7.9

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

2.5

exploitability

9.1

remediation

0.0

relevance

7.9

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Open5GS SMF Component Null Pointer Dereference Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Open5GS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating