Description
An issue in open5gs v.2.7.3 allows a remote attacker to cause a denial of service via a crafted PDU Session Modification Request
Published: 2026-04-30
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An input validation flaw combined with unchecked resource usage in Open5GS 2.7.3 permits a remote attacker to deliver a specially crafted PDU Session Modification Request that triggers a crash or makes the service unresponsive, leading to denial of service. The underlying weakness aligns with CWE‑20 (Improper Validation of Input) and CWE‑400 (Uncontrolled Resource Consumption).

Affected Systems

Open5GS, the open‑source 5G core network implementation, is affected in release 2.7.3. Any deployment that has not upgraded beyond this version remains vulnerable until a fix is deployed.

Risk and Exploitability

The CVSS score of 7.5 reflects a high impact, with an EPSS score of less than 1 % indicating that widespread exploitation has not been documented. The vulnerability can be triggered from any external network that can reach the Open5GS instance, presumably through its user‑plane interface that accepts PDU Session Modification Requests; this attack vector is inferred from the description of a crafted network message. Because the flaw relies on malformed input, an attacker can repeat the exploit without authentication, potentially exhausting server resources until the node becomes unavailable.

Generated by OpenCVE AI on May 4, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Open5GS to a version that contains the fix for the PDU Session Modification Request handling bug.
  • If a quick update is not possible, implement network‑level filtering to reject or rate limit malformed PDU Session Modification Requests on the UE interface.
  • Continuously monitor system logs for abnormal PDU Session Modification requests and apply firewall or router rules to block or throttle suspicious traffic.

Generated by OpenCVE AI on May 4, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Remote Denial of Service via Crafted PDU Session Modification Request in Open5GS 2.7.3

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted PDU Session Modification Request in Open5GS
Weaknesses CWE-770

Mon, 04 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 02 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted PDU Session Modification Request in Open5GS
Weaknesses CWE-20
CWE-770

Thu, 30 Apr 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Open5gs
Open5gs open5gs
Vendors & Products Open5gs
Open5gs open5gs

Thu, 30 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description An issue in open5gs v.2.7.3 allows a remote attacker to cause a denial of service via a crafted PDU Session Modification Request
References

Subscriptions

Open5gs Open5gs
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-04T17:52:43.626Z

Reserved: 2025-04-22T00:00:00.000Z

Link: CVE-2025-46115

cve-icon Vulnrichment

Updated: 2026-05-04T15:02:47.998Z

cve-icon NVD

Status : Deferred

Published: 2026-04-30T20:16:23.083

Modified: 2026-05-04T18:16:24.450

Link: CVE-2025-46115

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T22:00:11Z

Weaknesses