Cyber Resilience

CVE-2026-2517

MediumPublic PoC

Published: 15 February 2026

Published
15 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0011 28.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2517 is a medium-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Open5Gs Open5Gs. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2026-2517 is a denial-of-service vulnerability in Open5GS versions up to and including 2.7.6. The flaw resides in the ogs_gtp2_parse_tft function within the library file lib/gtp/v2/types.c of the SMF component. By manipulating the argument pf[0].content.length, an attacker can trigger improper resource shutdown (CWE-404), leading to a crash or service disruption. The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity, requiring no user interaction or privileges. Successful exploitation results in limited denial of service, specifically impacting availability without affecting confidentiality or integrity.

References indicate the issue was reported to the Open5GS project via GitHub issue #4281, including a detailed comment at #issue-3807802287, but the project has not yet responded or released a patch. VulDB entries (ctiid.346108 and id.346108) document the vulnerability, noting that a public exploit is available, which increases the risk of attacks against exposed SMF instances.

The exploit code has been publicly released, enabling potential immediate threats to deployments of vulnerable Open5GS versions.

EU & UK References

Vulnerability details

A security flaw has been discovered in Open5GS up to 2.7.6. This vulnerability affects the function ogs_gtp2_parse_tft in the library lib/gtp/v2/types.c of the component SMF. Performing a manipulation of the argument pf[0].content.length results in denial of service. The attack is…

more

possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote unauthenticated crash of Open5GS SMF via crafted GTPv2 TFT parsing (improper shutdown), directly matching T1499.004 Application or System Exploitation for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1587Same product: Open5Gs Open5Gs
CVE-2026-1586Same product: Open5Gs Open5Gs
CVE-2026-1522Same product: Open5Gs Open5Gs
CVE-2026-1521Same product: Open5Gs Open5Gs
CVE-2026-4240Same product: Open5Gs Open5Gs
CVE-2025-15529Same product: Open5Gs Open5Gs
CVE-2025-1925Same product: Open5Gs Open5Gs
CVE-2025-1893Same product: Open5Gs Open5Gs
CVE-2026-2524Same product: Open5Gs Open5Gs
CVE-2025-15539Same product: Open5Gs Open5Gs

Affected Assets

open5gs
open5gs
≤ 2.7.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of the pf[0].content.length field inside ogs_gtp2_parse_tft before the malformed GTPv2 TFT is processed, blocking the crash.

prevent

Provides network-level controls (rate limiting, malformed GTP message filtering) that can stop exploitation of the publicly released remote DoS against the SMF.

prevent

Requires graceful error handling for invalid length values in protocol parsers so the SMF does not terminate on the CWE-404 condition.

References