CVE-2026-2517 - Vulnerability Details

- Open5GS SMF types.c ogs_gtp2_parse_tft denial of service

Description

A security flaw has been discovered in Open5GS up to 2.7.6. This vulnerability affects the function ogs_gtp2_parse_tft in the library lib/gtp/v2/types.c of the component SMF. Performing a manipulation of the argument pf[0].content.length results in denial of service. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-02-15

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Open5GS SMF's ogs_gtp2_parse_tft function can be triggered by manipulating the pf[0].content.length field provided in a GTPv2 packet. The manipulation causes the function to crash or behave unpredictably, leading to a denial of service for the SMF process. This weakness is classified as CWE-404 and results in loss of availability for the affected service and any downstream network functions that rely on the SMF.

Affected Systems

Version 2.7.6 and earlier of the Open5GS stack, specifically the SMF component that processes GTPv2 messages. The issue resides in the lib/gtp/v2/types.c source file of Open5GS and does not affect later releases beyond 2.7.6.

Risk and Exploitability

The CVSS base score is 6.9, indicating a medium severity vulnerability. Exploitation probability is low with an EPSS score below 1%, and the vulnerability is not listed in CISA's KEV catalog, suggesting limited active exploitation. However, the exploit code has been released publicly and the flaw can be triggered remotely via crafted GTPv2 traffic without authentication, making it a legitimate threat to any exposed Open5GS deployment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

Open5GS

affected

Version	Status	Constraints
`2.7.0`	affected	—
`2.7.1`	affected	—
`2.7.2`	affected	—
`2.7.3`	affected	—
`2.7.4`	affected	—
`2.7.5`	affected	—
`2.7.6`	affected	—

Configuration 1 [-]

cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Open5gs

—

Version	Status	Scheme	Platform
`2.7.0`	affected	semver	—
`2.7.1`	affected	semver	—
`2.7.2`	affected	semver	—
`2.7.3`	affected	semver	—
`2.7.4`	affected	semver	—
`2.7.5`	affected	semver	—
`2.7.6`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Open5GS release (v2.7.7 or newer) which contains the patch for this vulnerability.
If an upgrade cannot be performed immediately, configure the SMF to reject or drop any GTPv2 messages that trigger the failure, such as limiting flow descriptor lengths from unknown peers.
Continuously monitor SMF logs for unexpected crashes and enforce access controls to restrict GTPv2 connections to trusted devices.

Generated by OpenCVE AI on April 17, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00103.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/open5gs/open5gs/
https://github.com/open5gs/open5gs/issues/4281
https://github.com/open5gs/open5gs/issues/4281#issue-3807802287
https://vuldb.com/?ctiid.346108
https://vuldb.com/?id.346108
https://vuldb.com/?submit.738332

History

Wed, 18 Feb 2026 21:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:open5gs:open5gs::::::::

Tue, 17 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Open5gs Open5gs open5gs
Vendors & Products		Open5gs Open5gs open5gs

Sun, 15 Feb 2026 12:45:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in Open5GS up to 2.7.6. This vulnerability affects the function ogs_gtp2_parse_tft in the library lib/gtp/v2/types.c of the component SMF. Performing a manipulation of the argument pf[0].content.length results in denial of service. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title		Open5GS SMF types.c ogs_gtp2_parse_tft denial of service
Weaknesses		CWE-404
References		https://github.com/open5gs/open5gs/ https://github.com/open5gs/open5gs/issues/4281 https://github.com/open5gs/open5gs/issues/4281#issue-3807802287 https://vuldb.com/?ctiid.346108 https://vuldb.com/?id.346108 https://vuldb.com/?submit.738332
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Open5gs Open5gs

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-15T12:32:08.127Z

Updated: 2026-02-23T10:02:19.979Z

Reserved: 2026-02-14T20:01:26.566Z

Link: CVE-2026-2517

Vulnrichment

Updated: 2026-02-17T17:23:06.901Z

NVD

Status : Analyzed

Published: 2026-02-15T13:16:16.690

Modified: 2026-02-18T20:48:40.650

Link: CVE-2026-2517

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T19:30:15Z

Weaknesses

CWE-404

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object