174 matches found
CVE-2025-44951
A missing length check in ogspfcpdevadd function from PFCP library, used by both smf and upf in open5gs 2.7.2 and earlier, allows a local attacker to cause a Buffer Overflow by changing the session.dev field with a value with length greater than 32...
CVE-2025-29646
An issue in upf in open5gs 2.7.2 and earlier allows a remote attacker to cause a Denial of Service via a crafted PFCP SessionEstablishmentRequest packet with restoration indication = true and teid = 0 or teid = ogspfcppdrteidpool.size...
PT-2025-26182 · Open5Gs · Open5Gs
Name of the Vulnerable Software and Affected Versions: open5gs versions 2.7.2 and earlier Description: The issue allows a remote attacker to cause a Denial of Service via a crafted PFCP SessionEstablishmentRequest packet with restoration indication = true and teid = 0 or teid = ogs pfcp pdr teid...
CVE-2023-47346
Buffer Overflow vulnerability in free5gc 3.3.0, UPF 1.2.0, and SMF 1.2.0 allows attackers to cause a denial of service via crafted PFCP messages...
CVE-2023-47345
Buffer Overflow vulnerability in free5gc 3.3.0 allows attackers to cause a denial of service via crafted PFCP message with malformed PFCP Heartbeat message whose Recovery Time Stamp IE length is mutated to zero...
CVE-2022-43222
open5gs v2.4.11 was discovered to contain a memory leak in the component src/smf/pfcp-path.c. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted PFCP packet...
CVE-2022-43221
open5gs v2.4.11 was discovered to contain a memory leak in the component src/upf/pfcp-path.c. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted PFCP packet...
CVE-2022-39063
When Open5GS UPF receives a PFCP Session Establishment Request, it stores related values for building the PFCP Session Establishment Response. Once UPF receives a request, it gets the fteidlen from incoming message, and then uses it to copy data from incoming message to struct fteid without...
CVE-2021-41794
ogsfqdnparse in Open5GS 1.0.0 through 2.3.3 inappropriately trusts a client-supplied length value, leading to a buffer overflow. The attacker can send a PFCP Session Establishment Request with "internet" as the PDI Network Instance. The first character is interpreted as a length value to be used ...
CVE-2025-29339
An issue in UPF in Open5GS UPF versions up to v2.7.2 results an assertion failure vulnerability in PFCP session parameter validation. When processing a PFCP Session Establishment Request with PDN Type=0, the UPF fails to handle the invalid value propagated from SMF or via direct attack, triggerin...
CVE-2025-29339
An issue in UPF in Open5GS UPF versions up to v2.7.2 results an assertion failure vulnerability in PFCP session parameter validation. When processing a PFCP Session Establishment Request with PDN Type=0, the UPF fails to handle the invalid value propagated from SMF or via direct attack, triggerin...
PT-2025-17557 · Open5Gs · Open5Gs Upf
Name of the Vulnerable Software and Affected Versions: Open5GS UPF versions up to v2.7.2 Description: The issue results in an assertion failure vulnerability in PFCP session parameter validation. When processing a PFCP Session Establishment Request with PDN Type = 0, the UPF fails to handle the...
CVE-2025-29339
An issue in UPF in Open5GS UPF versions up to v2.7.2 results an assertion failure vulnerability in PFCP session parameter validation. When processing a PFCP Session Establishment Request with PDN Type=0, the UPF fails to handle the invalid value propagated from SMF or via direct attack, triggerin...
CVE-2025-29339
Open5GS UPF (up to v2.7.2) is affected by CVE-2025-29339. An assertion failure occurs during PFCP Session Establishment Requests when PDN Type is 0, due to improper handling of an invalid value propagated from SMF (or via direct attack), leading to a fatal assertion and daemon crash. The vulnerab...
CVE-2025-29339
An issue in UPF in Open5GS UPF versions up to v2.7.2 results an assertion failure vulnerability in PFCP session parameter validation. When processing a PFCP Session Establishment Request with PDN Type=0, the UPF fails to handle the invalid value propagated from SMF or via direct attack, triggerin...
CVE-2025-29339
An issue in UPF in Open5GS UPF versions up to v2.7.2 results an assertion failure vulnerability in PFCP session parameter validation. When processing a PFCP Session Establishment Request with PDN Type=0, the UPF fails to handle the invalid value propagated from SMF or via direct attack, triggerin...
CVE-2025-21677
In the Linux kernel, the following vulnerability has been resolved: pfcp: Destroy device along with udp socket's netns dismantle. pfcpnewlink links the device to a list in devnetdev instead of net, where a udp tunnel socket is created. Even when net is removed, the device stays alive on devnetdev...
DEBIAN-CVE-2025-21677
In the Linux kernel, the following vulnerability has been resolved: pfcp: Destroy device along with udp socket's netns dismantle. pfcpnewlink links the device to a list in devnetdev instead of net, where a udp tunnel socket is created. Even when net is removed, the device stays alive on devnetdev...
CVE-2025-21677
In the Linux kernel, the following vulnerability has been resolved: pfcp: Destroy device along with udp socket's netns dismantle. pfcpnewlink links the device to a list in devnetdev instead of net, where a udp tunnel socket is created. Even when net is removed, the device stays alive on devnetdev...
UBUNTU-CVE-2025-21677
In the Linux kernel, the following vulnerability has been resolved: pfcp: Destroy device along with udp socket's netns dismantle. pfcpnewlink links the device to a list in devnetdev instead of net, where a udp tunnel socket is created. Even when net is removed, the device stays alive on devnetdev...