CVE-2026-2517
Published: 15 February 2026
Summary
CVE-2026-2517 is a medium-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Open5Gs Open5Gs. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2026-2517 is a denial-of-service vulnerability in Open5GS versions up to and including 2.7.6. The flaw resides in the ogs_gtp2_parse_tft function within the library file lib/gtp/v2/types.c of the SMF component. By manipulating the argument pf[0].content.length, an attacker can trigger improper resource shutdown (CWE-404), leading to a crash or service disruption. The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity, requiring no user interaction or privileges. Successful exploitation results in limited denial of service, specifically impacting availability without affecting confidentiality or integrity.
References indicate the issue was reported to the Open5GS project via GitHub issue #4281, including a detailed comment at #issue-3807802287, but the project has not yet responded or released a patch. VulDB entries (ctiid.346108 and id.346108) document the vulnerability, noting that a public exploit is available, which increases the risk of attacks against exposed SMF instances.
The exploit code has been publicly released, enabling potential immediate threats to deployments of vulnerable Open5GS versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5828
Vulnerability details
A security flaw has been discovered in Open5GS up to 2.7.6. This vulnerability affects the function ogs_gtp2_parse_tft in the library lib/gtp/v2/types.c of the component SMF. Performing a manipulation of the argument pf[0].content.length results in denial of service. The attack is…
more
possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote unauthenticated crash of Open5GS SMF via crafted GTPv2 TFT parsing (improper shutdown), directly matching T1499.004 Application or System Exploitation for DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of the pf[0].content.length field inside ogs_gtp2_parse_tft before the malformed GTPv2 TFT is processed, blocking the crash.
Provides network-level controls (rate limiting, malformed GTP message filtering) that can stop exploitation of the publicly released remote DoS against the SMF.
Requires graceful error handling for invalid length values in protocol parsers so the SMF does not terminate on the CWE-404 condition.