| Title | Open5GS <=v2.7.5 Denail of Service |
|---|
| Description | A denial-of-service (DoS) vulnerability exists in Open5GS SMF (version v2.7.5 and earlier), caused by improper validation of SBI stream state under resource-constrained conditions during PDU session release.
This issue is triggered when the SMF operates under strict memory limits, and an HTTP/2 stream (used for SBI communication) has already been closed — for example, after receiving a RST_STREAM from a peer NF. Despite the stream being invalid, the SMF proceeds to process the event without checking the stream's state, leading to a fatal assertion failure in the function smf_state_operational().
Instead of handling the situation gracefully — by skipping the event or logging an error — the SMF crashes on the assertion assert(stream), resulting in termination of the entire SMF process, even though the failure is tied to a single UE context.
A remote attacker could potentially exploit this vulnerability by simulating high churn (frequent PDU session releases) under load, triggering stream closures and causing the SMF to repeatedly crash.
CVSS v4.0 Base Score
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
Base Score: 8.8(High) |
|---|
| Source | ⚠️ https://github.com/open5gs/open5gs/issues/3978 |
|---|
| User | lixxxiang (UID 88572) |
|---|
| Submission | 07/31/2025 07:57 (9 months ago) |
|---|
| Moderation | 08/09/2025 09:21 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 319330 [Open5GS up to 2.7.5 SMF src/smf/smf-sm.c smf_state_operational stream denial of service] |
|---|
| Points | 20 |
|---|