| عنوان | Open5GS <=v2.7.5 Denail of Service |
|---|
| الوصف | A denial-of-service (DoS) vulnerability exists in Open5GS SMF (version v2.7.5 and earlier), caused by improper validation of SBI stream state under resource-constrained conditions during PDU session release.
This issue is triggered when the SMF operates under strict memory limits, and an HTTP/2 stream (used for SBI communication) has already been closed — for example, after receiving a RST_STREAM from a peer NF. Despite the stream being invalid, the SMF proceeds to process the event without checking the stream's state, leading to a fatal assertion failure in the function smf_state_operational().
Instead of handling the situation gracefully — by skipping the event or logging an error — the SMF crashes on the assertion assert(stream), resulting in termination of the entire SMF process, even though the failure is tied to a single UE context.
A remote attacker could potentially exploit this vulnerability by simulating high churn (frequent PDU session releases) under load, triggering stream closures and causing the SMF to repeatedly crash.
CVSS v4.0 Base Score
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
Base Score: 8.8(High) |
|---|
| المصدر | ⚠️ https://github.com/open5gs/open5gs/issues/3978 |
|---|
| المستخدم | lixxxiang (UID 88572) |
|---|
| ارسال | 31/07/2025 07:57 AM (9 أشهر منذ) |
|---|
| الاعتدال | 09/08/2025 09:21 AM (9 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 319330 [Open5GS حتى 2.7.5 SMF src/smf/smf-sm.c smf_state_operational stream الحرمان من الخدمة] |
|---|
| النقاط | 20 |
|---|