| Title | Open5GS <= v2.7.5 Denial of Service |
|---|
| Description | A denial of service vulnerability exists in Open5GS AMF (v2.7.5 and earlier), where the AMF process crashes due to an invalid state transition during handling of SM Context Release in the Initial Context Setup phase.
This issue occurs when a UE, connecting via gNB (e.g., UERANSIM), initiates a PDU session but then triggers an SM Context Release before the session is fully established. Under certain conditions—such as constrained system memory or aggressive UE connect/disconnect cycles—the AMF reaches a fatal assertion in amf_nsmf_pdusession_handle_release_sm_context, causing the entire AMF process to crash. The code path involved explicitly states it “should not be reached,” indicating a missing state guard in the finite state machine (FSM).
Log Excerpt:
FATAL: Release SM Context in initial-context-setup
FATAL: amf_nsmf_pdusession_handle_release_sm_context: should not be reached.
CVSS v4.0 Score:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H — Base Score: 8.8 (High)
This vulnerability is remotely exploitable without authentication, has a low attack complexity, and causes high impact on both general availability and core network security functions. While it does not compromise data confidentiality or integrity, it results in a persistent denial of service of the 5G core's AMF function — severely affecting session management, registration, and authentication.
|
|---|
| Source | ⚠️ https://github.com/open5gs/open5gs/issues/3946 |
|---|
| User | xiaohan zheng (UID 88539) |
|---|
| Submission | 07/31/2025 07:47 (9 months ago) |
|---|
| Moderation | 08/13/2025 21:04 (14 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 319128 [Open5GS up to 2.7.5 AMF Service src/amf/nsmf-handler.c amf_nsmf_pdusession_handle_release_sm_context assertion] |
|---|
| Points | 0 |
|---|