AIKIDO-2026-10403

TL;DR

Open5GS (5G Core and EPC) prior to 2.7.7 is affected by multiple issues in protocol and SBI parsing that can be triggered by malformed or crafted input. TLV pool exhaustion during GTP message parsing caused ogs_assert() aborts, crashing SGW-C/PGW-C/MME. Requester-features parsing used strtoll() and aborted on ERANGE, allowing a remote peer to crash NRF via an overly large hexadecimal value. GTPv1/v2 parsers lacked length validation on IE fields (e.g. PAA, IMEISV, ULI), leading to heap or stack overflows and assert-based aborts on malformed IEs. CCA handler callbacks could cause denial of service. Patched release adds bounds checks, replaces asserts with error handling, validates IE lengths, and handles TLV allocation failures gracefully.