← back to research

A pre-auth crash in the 5G core: out-of-bounds read in Open5GS

Cipher reported a pre-authentication out-of-bounds read in Open5GS, the open-source 5G core. One malformed NAS message reaches the AMF before authentication and crashes it, taking service down for every connected subscriber.


The mobile network’s core is supposed to be the trusted part. Open5GS is the widely used open-source implementation of the 4G and 5G core, run in research labs, private networks, and production mobile deployments. As part of our research into the software that critical infrastructure runs on, Cipher found a memory-safety flaw in its 5G core that an attacker can reach before authenticating, and that takes the core down.

This one is High severity (CVSS 8.6). It is a denial of service, not code execution, but it needs no credentials and a single packet, and it affects every subscriber on the core rather than just the sender.

IMPORTANT

Who’s exposed. You’re affected if you run an Open5GS 5G core (2.7.7 and earlier) whose AMF can be reached by anything able to put a NAS packet on its signaling path: a rogue or malfunctioning device, or any host with a route to the AMF. One malformed pre-authentication message crashes the AMF and takes signaling down for every subscriber on the core, not only the sender. No credentials, no valid SIM, a single packet. The fix shipped in Open5GS 2.8.0; upgrade to it, and keep the AMF’s signaling interface off untrusted networks.

The surface

In 5G, devices talk to the network through NAS (Non-Access Stratum) signaling, handled by the AMF, the Access and Mobility Management Function. Some of that signaling, including the messages that carry a device’s mobile identity, is processed before the device has authenticated. That makes the NAS parser one of the most exposed pieces of code in the whole core: anything that can send a packet to the AMF can reach it, with no credentials required.

The root cause

The flaw is in how the AMF decodes the 5GS mobile-identity element. The decoder reads the length declared in the message and creates a pointer into the packet buffer, without first checking that the declared length meets the minimum the identity type actually requires. When the declared length is smaller than the type being parsed needs, the decoder reads past the end of the buffer: a heap out-of-bounds read.

The assumption is that the length a message claims and the length a type requires agree. Nothing enforces that against an attacker who writes the message.

Impact

A single malformed NAS message, sent by an unauthenticated attacker, drives the out-of-bounds read and crashes the AMF. Because the AMF is the control point every device attaches through, that crash is a denial of service for every subscriber on the core, not only the sender. Severity is High, CVSS 8.6, CWE-125.

Remediation

The fix shipped in Open5GS 2.8.0, which validates each mobile-identity length before casting the buffer to a fixed-size SUCI, GUTI, or 5G-S-TMSI structure. So:

  • Upgrade to 2.8.0 or later.
  • In addition, keep the AMF’s NAS signaling interface off untrusted networks. The bug is pre-authentication, so reachability is the whole precondition: a core whose AMF only accepts traffic from trusted radio-access elements is far harder to reach.
  • As an early warning, alert on AMF restarts that line up with malformed NAS mobile-identity messages.

Disclosure

  • Software: Open5GS 2.7.7 and earlier (5G core, AMF NAS decoder).
  • Class: CWE-125, out-of-bounds read.
  • Severity: High, CVSS 8.6.
  • CVE: CVE-2026-15720.
  • Advisory: GHSA-f4mx-3x6p-cfwp.
  • Fix: Open5GS 2.8.0 (validates mobile-identity length before the SUCI/GUTI/5G-S-TMSI cast). Reported to the Open5GS maintainers.
  • Reported by: Cipher / Causal Security.

All testing was against an Open5GS core we ran ourselves; the triggering message is synthetic.

Why we look at pre-authentication parsers

Pre-authentication parsing in a core network function is the surface where a single missing check becomes a network-wide outage: it runs before any credential, so anything that can reach the interface can reach the code. The bug itself is not exotic. It is a length-versus-type invariant the parser assumes but never enforces, the gap between the length a message claims and the length a type actually requires. Finding it is not a from-scratch audit of the stack. It is enumerating the fields a parser reads before authentication and, for each one, checking whether the declared length is validated against the type before a pointer is formed. This one was not. That gap is the bug.


This work is part of our ongoing vulnerability research into the open-source and embedded software that critical infrastructure runs on.