CVE-2025-65805 Overview
A stack-based buffer overflow vulnerability (CWE-121) has been identified in OpenAirInterface CN5G AMF version 2.1.9 and earlier. The vulnerability exists in the processing of NAS (Non-Access Stratum) messages, where improper bounds checking allows an attacker to overflow a buffer by sending an overly long IMSI string. Unauthorized remote attackers can exploit this vulnerability to launch denial-of-service attacks and potentially achieve remote code execution by accessing port N1 and sending an IMSI string longer than 1000 characters.
Critical Impact
Remote attackers can crash the AMF service or potentially execute arbitrary code by sending malformed NAS messages with oversized IMSI strings, disrupting 5G core network operations.
Affected Products
- OpenAirInterface CN5G AMF version 2.1.9 and earlier
- 5G Core Network deployments using vulnerable AMF versions
- Systems with exposed N1 interface ports
Discovery Timeline
- 2026-01-07 - CVE-2025-65805 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-65805
Vulnerability Analysis
This vulnerability represents a classic stack-based buffer overflow condition in the 5G core network's Access and Mobility Management Function (AMF). The AMF is a critical component in 5G networks responsible for handling registration, connection, reachability, and mobility management. When processing NAS messages containing International Mobile Subscriber Identity (IMSI) data, the vulnerable code fails to properly validate the length of the incoming IMSI string before copying it into a fixed-size buffer.
The attack can be executed remotely without authentication, requiring no user interaction. The primary impact is service availability, as successful exploitation results in denial of service. However, the buffer overflow condition may also create opportunities for code execution depending on memory layout and exploitation techniques.
Root Cause
The root cause is insufficient input validation in the NAS message processing routine. The code accepts IMSI strings without properly checking their length against buffer boundaries. When an IMSI string exceeding 1000 characters is received, it overflows the allocated stack buffer, corrupting adjacent memory including potentially critical stack data such as return addresses and saved registers.
The vulnerability is classified as CWE-121 (Stack-based Buffer Overflow), indicating that the overflow occurs in stack memory rather than heap memory, which can make exploitation more straightforward in certain scenarios.
Attack Vector
The attack is network-based and targets the N1 interface, which handles communication between User Equipment (UE) and the AMF. An attacker with network access to the N1 interface can craft a malicious NAS message containing an IMSI string exceeding the expected buffer size. The attack flow involves:
- Establishing a connection to the target AMF's N1 interface
- Constructing a NAS message with an oversized IMSI field (>1000 characters)
- Sending the malformed message to trigger the buffer overflow
- The AMF crashes or executes attacker-controlled code depending on the payload
The vulnerability does not require authentication or valid credentials, making it accessible to any attacker with network connectivity to the vulnerable interface. For detailed technical analysis, refer to the GitHub Vulnerability Report.
Detection Methods for CVE-2025-65805
Indicators of Compromise
- Unexpected AMF service crashes or restarts
- Anomalous NAS messages with unusually large IMSI fields observed in network traffic
- Segmentation faults or memory corruption errors in AMF logs
- Unusual network traffic patterns targeting the N1 interface
Detection Strategies
- Implement network monitoring to detect NAS messages with IMSI strings exceeding normal lengths (typically 15 digits)
- Deploy intrusion detection rules to flag oversized IMSI fields in N1 interface traffic
- Monitor AMF process health for unexpected terminations or memory violations
- Enable enhanced logging for NAS message processing to capture malformed message attempts
Monitoring Recommendations
- Implement continuous monitoring of AMF service availability and process status
- Set up alerts for repeated connection attempts to the N1 interface from unusual sources
- Monitor system logs for buffer overflow indicators such as segfaults or stack smashing detected messages
- Deploy network traffic analysis tools to baseline and alert on anomalous NAS message patterns
How to Mitigate CVE-2025-65805
Immediate Actions Required
- Restrict network access to the N1 interface using firewall rules to limit exposure
- Implement network segmentation to isolate 5G core components from untrusted networks
- Monitor AMF services for signs of exploitation attempts
- Review and upgrade OpenAirInterface CN5G AMF to a patched version when available
Patch Information
No official patch information has been published at this time. Organizations should monitor the OpenAirInterface project for security updates and apply patches as soon as they become available. Until a patch is released, implementing the workarounds below is strongly recommended.
Workarounds
- Implement input validation at the network perimeter to reject NAS messages with oversized IMSI fields
- Deploy a network-based filter or WAF to drop packets containing IMSI strings exceeding 15 characters
- Restrict access to the N1 interface to only authorized and trusted network segments
- Consider running the AMF service in a sandboxed environment to limit the impact of potential exploitation
# Example: Restrict N1 interface access using iptables
# Allow only trusted networks to access AMF N1 interface (adjust ports as needed)
iptables -A INPUT -p tcp --dport <N1_PORT> -s <TRUSTED_NETWORK> -j ACCEPT
iptables -A INPUT -p tcp --dport <N1_PORT> -j DROP
# Enable logging for blocked attempts
iptables -A INPUT -p tcp --dport <N1_PORT> -j LOG --log-prefix "AMF-N1-BLOCKED: "
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
