CVE-2025-44951 – A buffer overflow vulnerability in the PFCP lib... (How to Fix)

Q: What is the severity of CVE-2025-44951?

CVE-2025-44951 has a CVSS score of 7.1 (HIGH). A buffer overflow vulnerability in the PFCP library of open5gs allows a local attacker to execute arbitrary code or cause denial of service by providing overly long device identifiers. This affects both SMF and UPF components in open5gs versions 2.7.2 and earlier.

📋 TL;DR

A buffer overflow vulnerability in the PFCP library of open5gs allows a local attacker to execute arbitrary code or cause denial of service by providing overly long device identifiers. This affects both SMF and UPF components in open5gs versions 2.7.2 and earlier.

💻 Affected Systems

Products:

open5gs

Versions: 2.7.2 and earlier

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both SMF (Session Management Function) and UPF (User Plane Function) components when using PFCP protocol.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to full system compromise via arbitrary code execution.

🟠

Likely Case

Denial of service causing SMF/UPF service crashes and network disruption.

🟢

If Mitigated

Service disruption limited to affected components with no lateral movement.

🌐 Internet-Facing: LOW - Requires local access to the system.

🏢 Internal Only: HIGH - Local attackers or compromised services can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to the system but the vulnerability is straightforward to trigger.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit e3dd98cd291fba233a46adb2881213fc6e38b924

Vendor Advisory: https://github.com/open5gs/open5gs/issues/3775

Restart Required: Yes

Instructions:

1. Update open5gs to latest version or apply commit e3dd98cd291fba233a46adb2881213fc6e38b924
2. Restart both SMF and UPF services
3. Verify the fix by checking the session.dev field length validation

🔧 Temporary Workarounds

Input validation via wrapper

linux

Implement wrapper function to validate session.dev field length before passing to ogs_pfcp_dev_add

Implement custom validation: if(strlen(session.dev) > 32) { return ERROR; }

🧯 If You Can't Patch

Restrict local access to open5gs systems using strict user permissions and access controls.
Monitor for abnormal process crashes or memory usage in SMF/UPF components.

🔍 How to Verify

Check if Vulnerable:

Check open5gs version: open5gs --version and verify if it's 2.7.2 or earlier.

Check Version:

open5gs --version

Verify Fix Applied:

Verify the commit e3dd98cd291fba233a46adb2881213fc6e38b924 is present in your installation.

📡 Detection & Monitoring

Log Indicators:

SMF/UPF process crashes
Memory access violation errors in system logs
Abnormal termination of ogs-pfcp processes

Network Indicators:

PFCP session establishment failures
Unusual PFCP message sizes exceeding normal bounds

SIEM Query:

process_name:ogs* AND (event_type:crash OR error_message:"buffer overflow" OR error_message:"segmentation fault")

📊 Metadata

CVE ID: CVE-2025-44951

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-120

EPSS Score: 0.03% exploit probability (7.1th percentile)

Published: June 18, 2025

Last Updated: January 9, 2026

🔗 References

https://gist.github.com/scmdcs/6d878d6074f0e2f4a8fb69e9864068b7 Exploit,Third Party Advisory
https://github.com/open5gs/open5gs/commit/e3dd98cd291fba233a46adb2881213fc6e38b924
https://github.com/open5gs/open5gs/issues/3775 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-44951, you might also want to check these: