Cyber Resilience

CVE-2023-36998

High

Published: 22 January 2025

Published
22 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.9 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
EPSS Score 0.0021 43.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-36998 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Nextepc (inferred from references). Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2023-36998 is a stack-based buffer overflow vulnerability (CWE-121) in the Emergency Number List decoding method of NextEPC MME versions up to and including 1.0.1. The flaw allows an attacker to send a NAS message with an oversized Emergency Number List value, causing the MME to overwrite the stack with arbitrary bytes. It has a CVSS v3.1 base score of 8.9 (AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H) and was published on 2025-01-22.

An attacker with a cellphone connection to any base station managed by the affected MME can exploit this vulnerability without authenticating to the LTE core. By crafting and transmitting a malicious NAS message, the attacker can trigger the buffer overflow, potentially achieving arbitrary code execution, integrity violations, or denial of service on the MME, given the high impact on integrity and availability alongside scoped confidentiality effects.

Mitigation involves updating to the fixed commit a8492c9c5bc0a66c6999cb5a263545b32a4109df. Additional details are available in advisories at http://nextepc.com and https://cellularsecurity.org/ransacked.

EU & UK References

Vulnerability details

The NextEPC MME <= 1.0.1 (fixed in commit a8492c9c5bc0a66c6999cb5a263545b32a4109df) contains a stack-based buffer overflow vulnerability in the Emergency Number List decoding method. An attacker may send a NAS message containing an oversized Emergency Number List value to the MME to…

more

overwrite the stack with arbitrary bytes. An attacker with a cellphone connection to any base station managed by the MME may exploit this vulnerability without having to authenticate with the LTE core.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer overflow in MME NAS message processing enables remote code execution on network-exposed core component via crafted protocol messages from adjacent network.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-11779Shared CWE-121
CVE-2026-25823Shared CWE-121
CVE-2025-69766Shared CWE-121
CVE-2025-60691Shared CWE-121
CVE-2019-25364Shared CWE-121
CVE-2026-39047Shared CWE-121
CVE-2025-69764Shared CWE-121
CVE-2019-25319Shared CWE-121
CVE-2025-54491Shared CWE-121
CVE-2026-42469Shared CWE-121

Affected Assets

Nextepc
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of NAS message inputs like the Emergency Number List size to prevent stack-based buffer overflows from oversized values.

prevent

SI-16 implements memory protections such as stack canaries and ASLR to block successful stack overwrites even if invalid input reaches the decoder.

prevent

SI-2 ensures timely application of the specific patch (commit a8492c9c5bc0a66c6999cb5a263545b32a4109df) to remediate the buffer overflow flaw in NextEPC MME.

References