Home > Vulnerability Database > CVE-2023-36998

Mend.io Vulnerability Database

CVE-2023-36998

Date: January 21, 2025

The NextEPC MME <= 1.0.1 (fixed in commit a8492c9c5bc0a66c6999cb5a263545b32a4109df) contains a stack-based buffer overflow vulnerability in the Emergency Number List decoding method. An attacker may send a NAS message containing an oversized Emergency Number List value to the MME to overwrite the stack with arbitrary bytes. An attacker with a cellphone connection to any base station managed by the MME may exploit this vulnerability without having to authenticate with the LTE core.

Severity Score

8.9

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-36998

Url: http://nextepc.com

Url: https://cellularsecurity.org/ransacked

Url: https://www.mend.io/vulnerability-database/CVE-2023-36998

Severity Score

8.9

Weakness Type (CWE)

Stack-based Buffer Overflow

CWE-121

CVSS v3.1

Base Score:	8.9
Attack Vector (AV):	ADJACENT_NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-36998

Date: January 21, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?