Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-15176

CVE-2025-15176: Open5GS PFCP Handler RCE Vulnerability

CVE-2025-15176 is a remote code execution flaw in Open5GS affecting PFCP Session Establishment Request Handler up to version 2.7.5. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-15176 Overview

A vulnerability has been discovered in Open5GS, an open-source implementation of 5G Core and EPC (Evolved Packet Core). This flaw affects the decode_ipv6_header and ogs_pfcp_pdr_rule_find_by_packet functions within the file lib/pfcp/rule-match.c, specifically in the PFCP Session Establishment Request Handler component. The vulnerability allows remote attackers to trigger a reachable assertion, resulting in a denial of service condition. The exploit has been publicly disclosed and may be actively used against vulnerable installations.

Critical Impact

Remote attackers can crash the Open5GS UPF (User Plane Function) component by sending specially crafted PFCP packets containing malformed IPv6 jumbo packet headers, causing service disruption to 5G network infrastructure.

Affected Products

  • Open5GS versions up to and including 2.7.5
  • Open5GS UPF (User Plane Function) component
  • Systems processing PFCP Session Establishment Requests with IPv6 traffic

Discovery Timeline

  • 2025-12-29 - CVE-2025-15176 published to NVD
  • 2026-02-24 - Last updated in NVD database

Technical Details for CVE-2025-15176

Vulnerability Analysis

This vulnerability (CWE-617: Reachable Assertion) occurs in the IPv6 jumbo packet handling logic within Open5GS's PFCP rule matching code. When processing IPv6 packets with a payload length field of zero (indicating a jumbo payload), the code contains an assertion that expects the Next Header field to be zero. However, a malicious actor can craft packets where the payload length is zero but the Next Header field contains a non-zero value, triggering the assertion and causing the UPF process to terminate.

The vulnerability is particularly impactful in 5G network deployments where the UPF is a critical component responsible for user plane traffic processing. A successful exploit would interrupt data plane services for all connected users until the service is restored.

Root Cause

The root cause lies in the use of ogs_assert() for input validation in packet processing code. The assertion ogs_assert(nxt == 0) was used to validate the Next Header field when handling IPv6 jumbo packets. Assertions are intended for catching programming errors during development, not for validating external input from network packets. When an attacker sends a malformed packet that violates this assumption, the assertion fails and terminates the process rather than gracefully handling the invalid input.

Attack Vector

The attack can be launched remotely over the network by sending crafted PFCP Session Establishment Request packets to the Open5GS UPF component. The attacker needs network access to the PFCP interface (typically UDP port 8805) of the target system. No authentication or special privileges are required to exploit this vulnerability. The attack involves:

  1. Establishing a PFCP association with the target UPF
  2. Sending a PFCP Session Establishment Request containing a PDR (Packet Detection Rule)
  3. Subsequently sending IPv6 traffic with a crafted jumbo packet header where payload length is 0 but Next Header is non-zero
  4. The assertion triggers, crashing the UPF process
c
         uint32_t jp_len = 0;
         struct ip6_opt_jumbo *jumbo = NULL;
 
-        ogs_assert(nxt == 0);
+        if (nxt != 0) {
+            ogs_error("Invalid IPv6 jumbo: plen=0 but NextHeader=%u", nxt);
+            return OGS_ERROR;   /* Drop packet safely */
+        }
 
         jumbo = (struct ip6_opt_jumbo *)jp;
         memcpy(&jp_len, jumbo->ip6oj_jumbo_len, sizeof(jp_len));

Source: GitHub Commit Log

Detection Methods for CVE-2025-15176

Indicators of Compromise

  • Unexpected crashes or restarts of the Open5GS UPF process
  • Core dump files generated by the UPF process containing assertion failure messages in rule-match.c
  • Log entries indicating assertion failures with references to decode_ipv6_header or IPv6 jumbo packet handling
  • Increased PFCP Session Establishment Request traffic from unusual sources

Detection Strategies

  • Monitor Open5GS UPF process stability and implement automatic crash detection
  • Analyze network traffic for PFCP packets containing malformed IPv6 headers with zero payload length and non-zero Next Header values
  • Review system logs for assertion failure messages originating from the lib/pfcp/rule-match.c file
  • Implement network intrusion detection rules to identify anomalous PFCP traffic patterns

Monitoring Recommendations

  • Configure process monitoring to alert on unexpected UPF process terminations
  • Enable detailed PFCP packet logging at network boundaries for forensic analysis
  • Set up automated notifications for core dump generation in the Open5GS deployment
  • Monitor PFCP association establishment patterns for unusual activity from untrusted networks

How to Mitigate CVE-2025-15176

Immediate Actions Required

  • Apply the security patch identified by commit b72d8349980076e2c033c8324f07747a86eea4f8 immediately
  • Restrict network access to the PFCP interface (UDP port 8805) to trusted network elements only
  • Implement process supervision to automatically restart the UPF in case of unexpected termination
  • Review firewall rules to ensure PFCP traffic is only accepted from legitimate 5G network components

Patch Information

The Open5GS development team has released a fix in commit b72d8349980076e2c033c8324f07747a86eea4f8. This patch replaces the unsafe assertion with proper error handling that logs the invalid packet and returns an error code, allowing the UPF to continue operating while dropping the malicious packet. Organizations running Open5GS versions up to 2.7.5 should update to a patched version or apply the commit manually.

Workarounds

  • Implement network segmentation to isolate the PFCP control plane from untrusted networks
  • Deploy a network firewall or security appliance to filter PFCP traffic and validate packet structure
  • Configure automatic process restart mechanisms (systemd, supervisord) to minimize downtime if exploitation occurs
  • Consider deploying UPF instances in a high-availability configuration to maintain service continuity
bash
# Configuration example - Restrict PFCP interface access with iptables
# Allow PFCP traffic only from trusted SMF/control plane addresses
iptables -A INPUT -p udp --dport 8805 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 8805 -j DROP

# Enable automatic restart for open5gs-upfd service
systemctl edit open5gs-upfd --force
# Add: [Service]
# Add: Restart=always
# Add: RestartSec=5

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne