CVE-2026-2517 in Open5GS
Summary
by MITRE • 02/15/2026
A security flaw has been discovered in Open5GS up to 2.7.6. This vulnerability affects the function ogs_gtp2_parse_tft in the library lib/gtp/v2/types.c of the component SMF. Performing a manipulation of the argument pf[0].content.length results in denial of service. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/19/2026
The vulnerability identified as CVE-2026-2517 represents a critical denial of service flaw within the Open5GS software ecosystem, specifically targeting version 2.7.6 and earlier releases. This issue resides within the Session Management Function (SMF) component of the Open5GS network stack, which serves as a fundamental building block for 5G core networks. The affected function ogs_gtp2_parse_tft operates within the lib/gtp/v2/types.c library file, processing traffic flow templates that are essential for managing packet filtering and quality of service parameters in the GTPv2 protocol implementation. The vulnerability stems from inadequate input validation and improper handling of the pf[0].content.length parameter, creating a scenario where malicious actors can manipulate this specific field to trigger unexpected behavior in the system's processing logic.
The technical exploitation of this vulnerability occurs through remote manipulation of the GTPv2 protocol messages that the SMF component processes during session establishment and modification procedures. When an attacker crafts a specially formatted traffic flow template with manipulated pf[0].content.length values, the ogs_gtp2_parse_tft function fails to properly validate these inputs before proceeding with subsequent processing steps. This flaw directly maps to CWE-129, which addresses improper validation of array indices, and CWE-691, concerning insufficient control of a resource through an accessible interface. The vulnerability demonstrates characteristics consistent with a buffer over-read or integer overflow condition, where the malformed length parameter causes the parsing routine to access memory locations beyond intended boundaries or process data in ways that disrupt normal system operation.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise the integrity of the entire 5G core network infrastructure. Since the SMF component is responsible for managing session contexts and traffic flow parameters for mobile subscribers, a successful denial of service attack could result in widespread connectivity issues for users within the affected network. The remote exploitability of this vulnerability means that attackers need not have physical access to the network equipment, allowing them to target the service from external networks. This characteristic significantly increases the attack surface and makes the vulnerability particularly dangerous in production environments where network availability is critical for maintaining service levels and user satisfaction. The public release of exploit code further amplifies the risk, as it provides attackers with readily available tools to execute these attacks without requiring advanced technical knowledge.
Organizations utilizing Open5GS versions up to 2.7.6 should immediately implement mitigations to protect their network infrastructure from potential exploitation of this vulnerability. The most effective immediate response involves applying the latest available security patches from the Open5GS project, which should address the improper input validation in the ogs_gtp2_parse_tft function. Network administrators should also implement monitoring solutions that can detect anomalous GTPv2 traffic patterns, particularly those involving malformed traffic flow templates. Additional protective measures include implementing network segmentation to isolate critical SMF components, deploying intrusion detection systems capable of identifying suspicious protocol behavior, and establishing incident response procedures that can quickly address exploitation attempts. From an ATT&CK framework perspective, this vulnerability aligns with techniques involving privilege escalation and denial of service, specifically targeting the network infrastructure components that maintain session state information for mobile subscribers. The vulnerability also demonstrates characteristics of T1499.004, which covers network disruption through service availability attacks, making it a significant concern for 5G network operators who must maintain high availability for their services.