CVE-2025-15418 Overview
A denial of service vulnerability has been discovered in Open5GS up to version 2.7.6. The vulnerability exists in the function ogs_gtp2_parse_bearer_qos within the library lib/gtp/v2/types.c, specifically in the Bearer QoS IE Length Handler component. An attacker with local access can exploit improper resource shutdown or release handling to cause the application to terminate unexpectedly through a fatal assertion failure.
Critical Impact
Local attackers can crash Open5GS 5G core network components, potentially disrupting mobile network services and causing denial of service conditions for connected devices.
Affected Products
- Open5GS versions up to and including 2.7.6
- Open5GS deployments using GTPv2 protocol handling
- 5G core network implementations utilizing affected Open5GS libraries
Discovery Timeline
- 2026-01-02 - CVE-2025-15418 published to NVD
- 2026-01-06 - Last updated in NVD database
Technical Details for CVE-2025-15418
Vulnerability Analysis
This vulnerability is classified as CWE-404 (Improper Resource Shutdown or Release). The flaw resides in the GTPv2 protocol implementation where the ogs_gtp2_parse_bearer_qos function fails to properly validate the length of Bearer QoS Information Elements before processing. Instead of gracefully handling malformed IE lengths, the code uses a fatal ogs_assert() macro that terminates the entire process when the assertion condition is not met.
The vulnerability requires local access to exploit, meaning an attacker would need to be positioned within the network infrastructure or have the ability to send crafted GTP messages to the affected Open5GS components. When exploited, the assertion failure causes immediate process termination, resulting in denial of service for the 5G core network functions.
Root Cause
The root cause is the use of ogs_assert() for input validation in the Bearer QoS IE parsing function. The original code contained the assertion ogs_assert(octet->len == GTP2_BEARER_QOS_LEN) which would cause a fatal crash if the IE length did not match the expected value. This design pattern treats untrusted input validation failures as programming errors rather than expected error conditions that should be handled gracefully.
Attack Vector
The attack is initiated from a local position within the network. An attacker capable of sending GTPv2 protocol messages to the Open5GS instance can craft a malformed Bearer QoS Information Element with an incorrect length field. When the affected function parses this malformed IE, the assertion fails and the process terminates. The exploit has been publicly disclosed, making it accessible for potential attacks.
// Security patch in lib/gtp/v2/types.c - gtp: avoid fatal assert on malformed Bearer/Flow QoS IEs
ogs_assert(bearer_qos);
ogs_assert(octet);
- ogs_assert(octet->len == GTP2_BEARER_QOS_LEN);
+
+ /* Validate IE length instead of asserting */
+ if (octet->len != GTP2_BEARER_QOS_LEN) {
+ ogs_error("Invalid Bearer QoS IE length [%u], expected [%u]",
+ octet->len, GTP2_BEARER_QOS_LEN);
+ return 0;
+ }
source = (ogs_gtp2_bearer_qos_t *)octet->data;
// Source: https://github.com/open5gs/open5gs/commit/4e913d21f2c032b187815f063dbab5ebe65fe83a
Detection Methods for CVE-2025-15418
Indicators of Compromise
- Unexpected process crashes or restarts of Open5GS components (SMF, SGW-C, PGW-C)
- Core dump files generated with assertion failure stack traces in ogs_gtp2_parse_bearer_qos
- Log entries indicating abnormal GTPv2 session terminations
- Increased rate of service restarts detected by process monitoring systems
Detection Strategies
- Monitor Open5GS process stability and implement crash detection alerting
- Analyze GTPv2 protocol traffic for malformed Bearer QoS Information Elements with unexpected length values
- Implement log analysis rules to detect assertion failures in the lib/gtp/v2/types.c module
- Deploy network intrusion detection signatures for anomalous GTP-C message patterns
Monitoring Recommendations
- Enable verbose logging for GTPv2 protocol handling to capture malformed message attempts
- Implement process health monitoring with automatic alerting on unexpected restarts
- Monitor system resources for patterns consistent with repeated crash-and-restart cycles
- Review core dumps and crash logs for evidence of exploitation attempts targeting the Bearer QoS parser
How to Mitigate CVE-2025-15418
Immediate Actions Required
- Apply the security patch identified by commit hash 4e913d21f2c032b187815f063dbab5ebe65fe83a
- Update Open5GS to a version that includes the fix (versions after 2.7.6 with the patch applied)
- Implement network segmentation to restrict access to GTP-C interfaces from untrusted sources
- Enable process restart policies to minimize service disruption if exploitation occurs before patching
Patch Information
The vulnerability has been addressed in the official Open5GS repository. The patch replaces the fatal assertion with proper input validation that logs an error and returns gracefully when encountering malformed Bearer QoS IE lengths. The fix is available in GitHub Commit 4e913d21f2c032b187815f063dbab5ebe65fe83a. Additional details and discussion can be found in the GitHub Issue Tracker Entry.
Workarounds
- Restrict network access to GTP-C interfaces to trusted network segments only
- Implement rate limiting on GTP-C interfaces to slow potential exploitation attempts
- Deploy process monitoring with automatic restart capabilities to reduce downtime during attacks
- Consider deploying Open5GS behind a GTP firewall capable of validating IE field lengths
# Configuration example - Restrict GTP-C interface access using iptables
# Replace <trusted_network> with your actual trusted network CIDR
iptables -A INPUT -p udp --dport 2123 -s <trusted_network> -j ACCEPT
iptables -A INPUT -p udp --dport 2123 -j DROP
# Enable process monitoring with systemd restart policy
# Add to Open5GS service unit file
# Restart=always
# RestartSec=5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
