CVE-2025-15176 Overview
A vulnerability has been discovered in Open5GS, an open-source implementation of 5G Core and EPC (Evolved Packet Core). This flaw affects the decode_ipv6_header and ogs_pfcp_pdr_rule_find_by_packet functions within the file lib/pfcp/rule-match.c, specifically in the PFCP Session Establishment Request Handler component. The vulnerability allows remote attackers to trigger a reachable assertion, resulting in a denial of service condition. The exploit has been publicly disclosed and may be actively used against vulnerable installations.
Critical Impact
Remote attackers can crash the Open5GS UPF (User Plane Function) component by sending specially crafted PFCP packets containing malformed IPv6 jumbo packet headers, causing service disruption to 5G network infrastructure.
Affected Products
- Open5GS versions up to and including 2.7.5
- Open5GS UPF (User Plane Function) component
- Systems processing PFCP Session Establishment Requests with IPv6 traffic
Discovery Timeline
- 2025-12-29 - CVE-2025-15176 published to NVD
- 2026-02-24 - Last updated in NVD database
Technical Details for CVE-2025-15176
Vulnerability Analysis
This vulnerability (CWE-617: Reachable Assertion) occurs in the IPv6 jumbo packet handling logic within Open5GS's PFCP rule matching code. When processing IPv6 packets with a payload length field of zero (indicating a jumbo payload), the code contains an assertion that expects the Next Header field to be zero. However, a malicious actor can craft packets where the payload length is zero but the Next Header field contains a non-zero value, triggering the assertion and causing the UPF process to terminate.
The vulnerability is particularly impactful in 5G network deployments where the UPF is a critical component responsible for user plane traffic processing. A successful exploit would interrupt data plane services for all connected users until the service is restored.
Root Cause
The root cause lies in the use of ogs_assert() for input validation in packet processing code. The assertion ogs_assert(nxt == 0) was used to validate the Next Header field when handling IPv6 jumbo packets. Assertions are intended for catching programming errors during development, not for validating external input from network packets. When an attacker sends a malformed packet that violates this assumption, the assertion fails and terminates the process rather than gracefully handling the invalid input.
Attack Vector
The attack can be launched remotely over the network by sending crafted PFCP Session Establishment Request packets to the Open5GS UPF component. The attacker needs network access to the PFCP interface (typically UDP port 8805) of the target system. No authentication or special privileges are required to exploit this vulnerability. The attack involves:
- Establishing a PFCP association with the target UPF
- Sending a PFCP Session Establishment Request containing a PDR (Packet Detection Rule)
- Subsequently sending IPv6 traffic with a crafted jumbo packet header where payload length is 0 but Next Header is non-zero
- The assertion triggers, crashing the UPF process
uint32_t jp_len = 0;
struct ip6_opt_jumbo *jumbo = NULL;
- ogs_assert(nxt == 0);
+ if (nxt != 0) {
+ ogs_error("Invalid IPv6 jumbo: plen=0 but NextHeader=%u", nxt);
+ return OGS_ERROR; /* Drop packet safely */
+ }
jumbo = (struct ip6_opt_jumbo *)jp;
memcpy(&jp_len, jumbo->ip6oj_jumbo_len, sizeof(jp_len));
Source: GitHub Commit Log
Detection Methods for CVE-2025-15176
Indicators of Compromise
- Unexpected crashes or restarts of the Open5GS UPF process
- Core dump files generated by the UPF process containing assertion failure messages in rule-match.c
- Log entries indicating assertion failures with references to decode_ipv6_header or IPv6 jumbo packet handling
- Increased PFCP Session Establishment Request traffic from unusual sources
Detection Strategies
- Monitor Open5GS UPF process stability and implement automatic crash detection
- Analyze network traffic for PFCP packets containing malformed IPv6 headers with zero payload length and non-zero Next Header values
- Review system logs for assertion failure messages originating from the lib/pfcp/rule-match.c file
- Implement network intrusion detection rules to identify anomalous PFCP traffic patterns
Monitoring Recommendations
- Configure process monitoring to alert on unexpected UPF process terminations
- Enable detailed PFCP packet logging at network boundaries for forensic analysis
- Set up automated notifications for core dump generation in the Open5GS deployment
- Monitor PFCP association establishment patterns for unusual activity from untrusted networks
How to Mitigate CVE-2025-15176
Immediate Actions Required
- Apply the security patch identified by commit b72d8349980076e2c033c8324f07747a86eea4f8 immediately
- Restrict network access to the PFCP interface (UDP port 8805) to trusted network elements only
- Implement process supervision to automatically restart the UPF in case of unexpected termination
- Review firewall rules to ensure PFCP traffic is only accepted from legitimate 5G network components
Patch Information
The Open5GS development team has released a fix in commit b72d8349980076e2c033c8324f07747a86eea4f8. This patch replaces the unsafe assertion with proper error handling that logs the invalid packet and returns an error code, allowing the UPF to continue operating while dropping the malicious packet. Organizations running Open5GS versions up to 2.7.5 should update to a patched version or apply the commit manually.
Workarounds
- Implement network segmentation to isolate the PFCP control plane from untrusted networks
- Deploy a network firewall or security appliance to filter PFCP traffic and validate packet structure
- Configure automatic process restart mechanisms (systemd, supervisord) to minimize downtime if exploitation occurs
- Consider deploying UPF instances in a high-availability configuration to maintain service continuity
# Configuration example - Restrict PFCP interface access with iptables
# Allow PFCP traffic only from trusted SMF/control plane addresses
iptables -A INPUT -p udp --dport 8805 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 8805 -j DROP
# Enable automatic restart for open5gs-upfd service
systemctl edit open5gs-upfd --force
# Add: [Service]
# Add: Restart=always
# Add: RestartSec=5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
