CVE-2023-23846

Name of the Vulnerable Software and Affected Versions Open5GS GTP versions prior to 2.4.13 Open5GS GTP versions prior to 2.5.7

Description The issue is related to insufficient length validation in the Open5GS GTP library, which can cause an infinite loop when parsing extension headers in GPRS tunneling protocol (GPTv1-U) messages. This occurs when a protocol payload has any extension header length set to zero, resulting in denial of service and excessive resource consumption. The affected process becomes immediately unresponsive.

Recommendations For versions prior to 2.4.13, update to version 2.4.13 or later. For versions prior to 2.5.7, update to version 2.5.7 or later. As a temporary workaround, consider restricting the parsing of extension headers in GPTv1-U messages to prevent infinite loops until a patch is available.