CVE-2026-2517
Published: 15 February 2026
Summary
CVE-2026-2517 is a medium-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Open5Gs Open5Gs. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 28.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Contingency plan updates incorporate proper resource shutdown and release steps, preventing attackers from leveraging incomplete cleanup during recovery scenarios.
Mandates explicit shutdown of the network connection at session conclusion, directly addressing improper resource release.
Requires proper shutdown/release procedures that include overwriting or isolating data to block unintended transfer via reused system objects.
Procedures can mandate orderly shutdown or release of resources when failures occur, preventing improper resource handling after a fault.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote unauthenticated crash of Open5GS SMF via crafted GTPv2 TFT parsing (improper shutdown), directly matching T1499.004 Application or System Exploitation for DoS.
NVD Description
A security flaw has been discovered in Open5GS up to 2.7.6. This vulnerability affects the function ogs_gtp2_parse_tft in the library lib/gtp/v2/types.c of the component SMF. Performing a manipulation of the argument pf[0].content.length results in denial of service. The attack is…
more
possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-2517 is a denial-of-service vulnerability in Open5GS versions up to and including 2.7.6. The flaw resides in the ogs_gtp2_parse_tft function within the library file lib/gtp/v2/types.c of the SMF component. By manipulating the argument pf[0].content.length, an attacker can trigger improper resource shutdown (CWE-404), leading to a crash or service disruption. The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity, requiring no user interaction or privileges. Successful exploitation results in limited denial of service, specifically impacting availability without affecting confidentiality or integrity.
References indicate the issue was reported to the Open5GS project via GitHub issue #4281, including a detailed comment at #issue-3807802287, but the project has not yet responded or released a patch. VulDB entries (ctiid.346108 and id.346108) document the vulnerability, noting that a public exploit is available, which increases the risk of attacks against exposed SMF instances.
The exploit code has been publicly released, enabling potential immediate threats to deployments of vulnerable Open5GS versions.
Details
- CWE(s)