CVE-2025-44951 is a buffer overflow vulnerability identified in the PFCP (Packet Forwarding Control Protocol) library utilized by open5gs, an open-source 5G core network implementation. Specifically, the vulnerability resides in the ogs_pfcp_dev_add function, which handles the addition of device information in PFCP sessions. The issue arises because the function does not perform a length check on the session.dev field, which is expected to be 32 bytes or less. A local attacker with the ability to modify this field can supply a value exceeding 32 bytes, causing a buffer overflow. This overflow can corrupt adjacent memory, potentially leading to arbitrary code execution or denial of service conditions. The affected components include the SMF (Session Management Function) and UPF (User Plane Function), both critical for 5G network operation. The vulnerability requires local privileges but no user interaction, making it exploitable by insiders or compromised local accounts. The CVSS v3.1 score of 7.1 reflects the high impact on integrity and availability, with low attack complexity and privileges required. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is classified under CWE-120 (Classic Buffer Overflow), indicating a common and well-understood class of memory safety errors. Given the role of open5gs in 5G core networks, exploitation could disrupt network services or allow attackers to escalate privileges within the telecom infrastructure.

For European organizations, especially telecom operators deploying open5gs as part of their 5G core network infrastructure, this vulnerability poses a significant risk. Exploitation could lead to service disruptions in 5G networks, affecting availability and potentially integrity of session management and user plane functions. This could degrade network performance, cause outages, or enable attackers to execute arbitrary code with local privileges, potentially escalating to broader network compromise. The impact extends to enterprises relying on 5G connectivity and critical infrastructure sectors dependent on stable telecom services. Given the increasing adoption of open-source 5G solutions in Europe to reduce vendor lock-in and costs, the exposure is notable. Additionally, local attacker requirements mean insider threats or compromised local accounts are the primary vectors, emphasizing the need for strict internal security controls. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits post-disclosure. The high CVSS score underlines the potential severity if exploited.

1. Monitor open5gs deployments and identify all instances running version 2.7.2 or earlier. 2. Apply official patches or updates from the open5gs project as soon as they become available. 3. Until patches are released, implement strict input validation on the session.dev field to enforce maximum length constraints at the application or network interface level. 4. Restrict local access to SMF and UPF hosts to trusted personnel only, employing strong authentication and access controls to minimize the risk of local exploitation. 5. Deploy host-based intrusion detection systems (HIDS) to detect anomalous behavior or memory corruption attempts on affected systems. 6. Conduct regular audits of user accounts and privileges on telecom infrastructure to prevent unauthorized local access. 7. Network segmentation should be enforced to isolate critical 5G core components from less trusted network zones. 8. Engage with open5gs community and security advisories to stay informed about patches and exploit developments. 9. Consider deploying runtime protections such as stack canaries, ASLR, and DEP on affected hosts to mitigate exploitation impact. 10. Prepare incident response plans specifically addressing potential 5G core network compromises.