| Title | Open5GS <=v2.7.5 Denail of Service |
|---|
| Description | A denial-of-service (DoS) vulnerability exists in Open5GS AMF (version v2.7.5 and earlier) caused by missing state validation in the GMM state machine when processing delayed SBI responses.
This issue is triggered under memory-constrained or unstable runtime conditions, where a UE and gNB repeatedly attach and detach. During this cycle, a delayed smf-select-data response is received from nudm-sdm after the AMF UE context has already been removed, and the UE has entered the DEREGISTERED state.
Because the GMM state machine has no valid logic to handle SBI events in this state, the event is forwarded to gmm_state_exception(), which raises a fatal assertion (should not be reached), causing the AMF process to crash immediately.
A remote, unauthenticated attacker can exploit this behavior by rapidly triggering registration and de-registration flows, causing repeated UE context cleanup and triggering the crash with a delayed SBI response.
Although this vulnerability does not compromise confidentiality or integrity, it results in a complete loss of AMF availability and disables 5G core network functions until manual recovery.
CVSS v4.0 Base Score
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
Base Score: 8.6 (High) |
|---|
| Source | ⚠️ https://github.com/open5gs/open5gs/issues/3977 |
|---|
| User | lixxxiang (UID 88572) |
|---|
| Submission | 07/31/2025 07:51 (9 months ago) |
|---|
| Moderation | 08/09/2025 09:16 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 319329 [Open5GS up to 2.7.5 AMF src/amf/gmm-sm.c gmm_state_exception denial of service] |
|---|
| Points | 20 |
|---|