CVE-2023-23846

Published: Feb 1, 2023

Modified: Mar 27, 2025

PUBLISHED

Description

Due to insufficient length validation in the Open5GS GTP library versions prior to versions 2.4.13 and 2.5.7, when parsing extension headers in GPRS tunneling protocol (GPTv1-U) messages, a protocol payload with any extension header length set to zero causes an infinite loop. The affected process becomes immediately unresponsive, resulting in denial of service and excessive resource consumption. CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C

Vendor	Product	Versions
Open5GS	Open5GS	affected `<= 2.4.12` affected `<= 2.5.6`

Weaknesses (CWE)

CWE-770

References

https://www.synopsys.com/blogs/software-security/cyrc-advisory-open5gs-gtp-library/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-23846

Description

Affected Products

Weaknesses (CWE)

References