Open5GS hit by MME and SMF crash vulnerabilities discovered by P1 Security
Open5GS is one of the best known open source implementations of 5G Core and EPC for LTE and NR networks. That makes robustness in control plane and session handling a real security requirement, not just a developer convenience. The Open5GS site presents the project as an open source implementation for 5G Core and EPC used for building and managing LTE and NR mobile networks.
In March 2026, two Open5GS issues highlighted exactly why that matters. Both showed that malformed protocol input could do more than trigger a clean error path. Under the right conditions, it could crash core network functions and create denial of service conditions. One issue affected the MME in LTE attach handling. The other affected the SMF during parsing of malformed EPCO in a 5G PDU Session Establishment flow. Both public issue reports were filed against Open5GS v2.7.6.
P1 Security is also currently listed among the Silver Sponsors on the Open5GS website. That adds useful context to these findings: the research reflects practical protocol level security testing alongside active engagement with the Open5GS ecosystem.
For the full technical breakdown, affected versions, CVE references, and remediation details, see P1 Security’s security advisories at cve.p1sec.com. That is the central source for the disclosures related to these findings.
Why Open5GS matters
Open5GS is widely used in labs, private networks, interoperability environments, and research deployments because it provides an accessible open source core for LTE EPC and 5G Core workflows. Its role in the ecosystem makes parser and state machine resilience especially important. If malformed signaling or malformed subscriber supplied protocol content can crash key functions such as the MME or SMF, the impact is broader than a simple bug. It becomes a service availability problem.
In practice, that means a weakness in how Open5GS handles LTE NAS attach flows or 5G session establishment input can translate into disruption of subscriber onboarding, session creation, and core service continuity. That is why these findings matter technically and operationally.
What P1 Security found in Open5GS
The two Open5GS issues point to the same broader lesson: malformed protocol data must be treated as hostile at every parser boundary and every state transition.
One issue involved an MME crash caused by malformed S1AP and NAS Attach Request handling. According to the public report, Open5GS v2.7.6 could hit a fatal abort during a stateful LTE re attach flow when the EPS Mobile Identity IMSI encoding in an Attach Request was malformed. The issue description states that Open5GS did not reject the malformed identity cleanly, and that during a release and re attach sequence the MME could reach a fatal branch in mme_state_operational() while processing NAS message type 65, causing an MME crash and denial of service.
The second issue involved an SMF crash when parsing malformed EPCO in a PDU Session Establishment Request. The public report states that open5gs-smfd in Open5GS v2.7.6 crashes when parsing malformed Extended Protocol Configuration Options, or EPCO, inside a PDU Session Establishment Request. The report traces the problem to ogs_pco_parse() and explains that inconsistent outer PCO length versus inner item encoding can trigger an assertion failure, causing abort() and immediate SMF termination. The reported impact is a remote denial of service condition.
Taken together, these two cases show a consistent pattern. Malformed LTE and 5G signaling should have been rejected safely, but instead reached logic paths that could terminate critical core functions.
The technical pattern behind the Open5GS findings
Although the two findings affect different functions and different procedures, the technical pattern is consistent.
The first issue shows a stateful LTE NAS and S1AP handling weakness where malformed subscriber identity content appears to interact badly with UE context reuse and EMM state processing, eventually triggering a fatal abort in the MME. The issue report specifically describes a malformed Attach Request, release of UE context, and immediate re attach sequence that ends in a fatal state handling path.
The second issue shows a bounds and parser robustness weakness where malformed EPCO content can drive an SMF parsing routine into an assertion failure instead of a safe decoding error. The report explicitly notes that malformed or truncated PCO or EPCO should be rejected cleanly, and that production parser paths should not allow attacker controlled input to terminate the SMF process.
Taken together, they reinforce four core security lessons for mobile core implementations.
Protocol fields must be validated before use.
Malformed identity encoding, inconsistent container lengths, and truncated items must be rejected before business logic or parser internals trust them.
State machines must not trust partially corrupted context.
The MME issue is especially important because it suggests malformed signaling can influence how existing UE context is recovered or reused.
Assertions must not be reachable from attacker controlled traffic in production paths.
The SMF issue is a textbook example of how an internal sanity check can become a denial of service vector when exposed to malformed UE supplied input.
Telecom protocol security still requires specialist testing.
These are not generic web security bugs. They sit in LTE NAS, S1AP, EPCO, and PDU session handling, which is exactly where telecom specific expertise matters most.
Why this research matters
This Open5GS research matters because it demonstrates practical, protocol aware vulnerability discovery in one of the most recognized open source mobile core projects in the ecosystem. Open5GS is publicly positioned as a platform for LTE and NR mobile networks, and failures in parser or state handling can directly affect core network availability.
The findings uncovered denial of service paths in both LTE and 5G related processing: one in the MME during attach handling, and one in the SMF during PDU session establishment parsing. That matters because it shows how malformed signaling can affect not just parser correctness, but actual control plane and session management availability.
It also reinforces a broader lesson for the industry. Open source telecom cores are valuable because they accelerate experimentation, testing, integration, and private network deployment. But they also need the same rigorous security scrutiny as commercial telecom software. Findings like these help make that scrutiny real.
Affected versions and public issue references
Both public disclosures were reported against Open5GS v2.7.6. One issue was published as GitHub issue #4357, describing an MME crash caused by malformed S1AP and NAS Attach Request handling. The other was published as GitHub issue #4341, describing an SMF crash caused by malformed EPCO in a PDU Session Establishment Request. Both issue reports indicated CVE requested status in their public disclosure text.
For readers who want the full technical details, CVE mapping, affected versions, and fix information, P1 Security’s security advisories are available at cve.p1sec.com. The advisories contain the complete reference material for these disclosures.
Final take
The Open5GS disclosures show how denial of service risk can emerge from parser and state handling weaknesses inside a mobile core. P1 Security uncovered two Open5GS vulnerabilities affecting critical core functions. One issue showed that malformed S1AP and NAS Attach Request handling could crash the MME during a stateful LTE re attach sequence. The other showed that malformed EPCO inside a PDU Session Establishment Request could crash the SMF through an assertion failure in PCO parsing.
These findings do more than highlight two bugs. They underline a broader reality in mobile core security: malformed protocol input must never be allowed to take down key network functions. That is exactly the kind of problem deep telecom security research is supposed to uncover.
For the full technical details, CVE references, affected versions, and remediation information, see P1 Security’s security advisories at cve.p1sec.com. The complete disclosure material is available there.
%20(1).jpg)
