Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `E-RAB Setup Response` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting in denial of service.

Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `UE Context Release Complete` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting in denial of service.

Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `Path Switch Request` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting in denial of service.

Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `Initial UE Message` message missing a required `PLMN Identity` field to repeatedly crash the MME, resulting in denial of service.

Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `Handover Notification` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting in denial of service.

The NextEPC MME <= 1.0.1 (fixed in commit a8492c9c5bc0a66c6999cb5a263545b32a4109df) contains a stack-based buffer overflow vulnerability in the Emergency Number List decoding method. An attacker may send a NAS message containing an oversized Emergency Number List value to the MME to overwrite the s…

Open5GS MME versions <= 2.6.4 contain a reachable assertion in the `Uplink NAS Transport` packet handler. A packet missing its `MME_UE_S1AP_ID` field causes Open5gs to crash; an attacker may repeatedly send such packets to cause denial of service.

Open5GS MME version <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `UE Context Modification Failure` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the MME, resulting in denial of serv…

A SQL injection vulnerability exists in Synnefo Internet Management Software (IMS) version 2023 and earlier. This vulnerability occurs due to improper input validation in a specific API endpoint parameter allowing an attacker to manipulate SQL queries via crafted input. Successful exploitation coul…

Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a sufficiently large ASN.1 packet over the S1AP interface. An attacker may repeatedly send such an oversized packet to cause the `ogs_sctp_recvmsg` routine to reach an unexpected network state and crash, leading …