CVE-2024-34235 Overview
CVE-2024-34235 affects Open5GS, an open-source implementation of 5G Core and EPC network functions. The Mobility Management Entity (MME) component in versions <= 2.6.4 contains a reachable assertion that an unauthenticated attacker can trigger remotely. Sending a malformed Abstract Syntax Notation One (ASN.1) packet over the S1-Application Protocol (S1AP) interface crashes the MME process. Specifically, an Initial UE Message missing the required NAS_PDU field triggers the assertion and terminates the service. Repeated transmission produces sustained denial of service against cellular core infrastructure.
Critical Impact
An unauthenticated remote attacker with S1AP network reachability can repeatedly crash the Open5GS MME, disrupting subscriber attach procedures and mobility management across an LTE/EPC deployment.
Affected Products
- Open5GS MME versions <= 2.6.4
- Open5GS EPC deployments exposing the S1AP interface
- 5G/LTE testbeds and production cores built on Open5GS
Discovery Timeline
- 2025-01-22 - CVE-2024-34235 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-34235
Vulnerability Analysis
The flaw is a reachable assertion classified under [CWE-617]. The Open5GS MME parses S1AP messages encoded with ASN.1 Packed Encoding Rules (PER). When processing an Initial UE Message, the MME assumes mandatory Information Elements (IEs) such as NAS_PDU are present after successful decoding. Omitting the IE causes a downstream assertion to fail, terminating the MME process.
The S1AP interface sits between the eNodeB and the MME and typically traverses operator-controlled transport. However, lab deployments, misconfigured firewalls, or compromised radio-side equipment can expose the interface. The attacker requires no authentication and no user interaction because S1AP itself does not authenticate the originating eNodeB at the application layer.
Impact is limited to availability. The vulnerability does not expose subscriber data or allow code execution, but loss of the MME breaks attach, paging, handover, and bearer management for all attached User Equipment (UE).
Root Cause
The MME treats NAS_PDU as guaranteed-present after decode rather than validating its existence and returning a protocol error. The assertion is intended as a developer invariant but becomes attacker-reachable through crafted input. Defensive checks and graceful error responses are missing in the affected code path.
Attack Vector
An attacker with network access to the S1AP listener sends a Stream Control Transmission Protocol (SCTP) association establishment followed by an Initial UE Message PDU. The PDU omits the NAS_PDU IE while remaining structurally valid ASN.1. The MME decodes the message, hits the assertion, and terminates. Reconnecting and repeating the message sustains the outage. Technical context is documented in the Cellular Security Analysis writeup.
Detection Methods for CVE-2024-34235
Indicators of Compromise
- Unexpected MME process termination with assertion failure entries in Open5GS logs referencing S1AP Initial UE Message handling.
- SCTP associations from unknown or unauthorized peer addresses on the S1AP port.
- Repeated UE attach failures across multiple eNodeBs coinciding with MME restarts.
Detection Strategies
- Monitor MME process supervision events and systemd or container restart counters for abnormal cycles.
- Inspect S1AP traffic for Initial UE Message PDUs that lack the NAS_PDU IE using protocol-aware packet capture.
- Correlate eNodeB source addresses against an allowlist of authorized radio nodes.
Monitoring Recommendations
- Enable verbose Open5GS MME logging and forward to a centralized log platform for assertion pattern matching.
- Alert on SCTP INIT chunks from networks outside the trusted transport perimeter.
- Track MME uptime as a service-level indicator and trigger investigation on regressions.
How to Mitigate CVE-2024-34235
Immediate Actions Required
- Upgrade Open5GS to a release later than 2.6.4 that addresses the assertion in the S1AP decoder.
- Restrict S1AP reachability to authorized eNodeB IP ranges using firewall or SCTP-aware access control.
- Place the MME behind a process supervisor configured to restart on crash while alerts are investigated.
Patch Information
Update to a fixed Open5GS release beyond version 2.6.4. Review the project release notes and the Cellular Security Analysis reference for the corresponding S1AP parsing fixes before deploying to production cores.
Workarounds
- Isolate the S1AP interface on a dedicated VLAN or VRF unreachable from general IP networks.
- Enforce SCTP peer address validation and reject associations from unknown endpoints at the network layer.
- Deploy an S1AP-aware intermediary or IDS rule that drops Initial UE Message PDUs missing the NAS_PDU IE.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

