CVE-2026-2517 Overview
A Denial of Service (DoS) vulnerability has been discovered in Open5GS versions up to 2.7.6. This vulnerability affects the ogs_gtp2_parse_tft function within the lib/gtp/v2/types.c library of the Session Management Function (SMF) component. By manipulating the pf[0].content.length argument, an attacker can trigger a denial of service condition. The vulnerability is remotely exploitable over the network, and exploit details have been publicly disclosed.
Critical Impact
Remote attackers can disrupt 5G core network services by targeting the SMF component, potentially causing service outages for mobile network subscribers.
Affected Products
- Open5GS versions up to and including 2.7.6
- Open5GS SMF (Session Management Function) component
- Systems utilizing the lib/gtp/v2/types.c library for GTP packet processing
Discovery Timeline
- 2026-02-15 - CVE-2026-2517 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-2517
Vulnerability Analysis
This vulnerability is classified as CWE-404 (Improper Resource Shutdown or Release), affecting the GTP-C (GPRS Tunneling Protocol Control) version 2 implementation in Open5GS. The vulnerability resides in the Traffic Flow Template (TFT) parsing logic within the SMF component, which is critical for managing user data sessions in 5G networks.
The flaw occurs when processing malformed GTP packets containing manipulated TFT parameters. When the pf[0].content.length field contains unexpected values, the parsing function fails to properly validate and handle the resource allocation, leading to a denial of service condition. Since the attack vector is network-based and requires no authentication or user interaction, it poses a significant risk to 5G core network availability.
Root Cause
The root cause is improper resource handling in the ogs_gtp2_parse_tft function when processing packet filter content length values. The function fails to adequately validate the pf[0].content.length parameter before allocating or accessing resources, which can lead to resource exhaustion or improper release when malformed input is provided. This CWE-404 condition allows attackers to disrupt the normal operation of the SMF component.
Attack Vector
The attack is remotely exploitable over the network without requiring authentication or user interaction. An attacker can craft malicious GTP-C packets with manipulated TFT parameters targeting the SMF component. When the vulnerable ogs_gtp2_parse_tft function processes these packets, the improper handling of the content length field triggers the denial of service condition.
The vulnerability has been publicly disclosed through the Open5GS GitHub issue tracker, and exploit information is available. The project maintainers were notified through an issue report but have not yet responded according to the disclosure timeline.
Detection Methods for CVE-2026-2517
Indicators of Compromise
- Unexpected crashes or service restarts of the Open5GS SMF component
- Abnormal GTP-C traffic patterns with malformed TFT parameters
- Increased error logs in lib/gtp/v2/types.c related to TFT parsing failures
- Network service disruptions affecting subscriber session management
Detection Strategies
- Monitor Open5GS SMF process stability and implement alerting on unexpected terminations
- Deploy network intrusion detection rules to identify malformed GTP-C packets with anomalous TFT content length values
- Implement deep packet inspection for GTP traffic to detect manipulation of packet filter parameters
- Review SMF logs for parsing errors related to the ogs_gtp2_parse_tft function
Monitoring Recommendations
- Enable verbose logging on Open5GS SMF components to capture TFT parsing events
- Implement real-time monitoring of GTP-C interface traffic for anomaly detection
- Configure alerts for repeated SMF service failures or resource exhaustion conditions
- Establish baseline metrics for normal GTP traffic patterns to identify deviations
How to Mitigate CVE-2026-2517
Immediate Actions Required
- Review your Open5GS deployment and identify all instances running version 2.7.6 or earlier
- Implement network segmentation to restrict access to GTP-C interfaces from untrusted networks
- Monitor the Open5GS GitHub repository for official patches or security updates
- Consider implementing rate limiting on GTP-C traffic to reduce the impact of potential attacks
Patch Information
As of the last update on 2026-02-18, no official patch has been released by the Open5GS project. The vulnerability was reported through GitHub issue #4281, but the project has not yet responded. Organizations should monitor the Open5GS repository for updates and apply patches as soon as they become available.
Workarounds
- Restrict network access to the SMF component's GTP-C interfaces using firewall rules
- Implement network-level filtering to block malformed GTP packets before they reach the SMF
- Deploy a GTP-aware firewall or security gateway in front of Open5GS infrastructure
- Consider isolating the affected SMF instances and implementing redundancy to maintain service availability
# Example: Restrict GTP-C access to trusted networks only
# Add iptables rules to limit access to GTP-C port (default 2123/udp)
iptables -A INPUT -p udp --dport 2123 -s <trusted_network_cidr> -j ACCEPT
iptables -A INPUT -p udp --dport 2123 -j DROP
# Monitor SMF service status
systemctl status open5gs-smfd
# Check logs for TFT parsing errors
journalctl -u open5gs-smfd | grep -i "tft\|parse\|error"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
