A flaw in Open5GS version 2.7.3 lets an attacker craft a malicious PDU Session Modification Request that triggers a service crash or hangs, resulting in a denial of service. The vulnerability stems from inadequate validation of this specific network message, allowing a remote actor to consume resources until the network node becomes unavailable. The impact is a loss of service availability for all users served by the affected Open5GS deployment.

The issue affects the Open5GS open-source 5G core network implementation, specifically version 2.7.3. The vulnerability was reported in a GitHub issue linked to this version, indicating that any deployment using this exact release is susceptible until a patch is applied.

The availability impact is high and the attack can be conducted from any external network that can reach the Open5GS instance. Based on the description, it is inferred that an attacker could use an interface such as the user equipment interface, though this is not explicitly stated. No CVSS score is provided, but the lack of exploitation probability data and absence from the KEV catalog suggest that widespread exploitation has not been confirmed yet. However, the remote nature and the possibility of automated traffic mean that a determined adversary could cause repeated outages if a fix is not applied.