EUVD-2026-33452
GHSA-p769-7pg7-jx7m
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was found in Open5GS up to 2.7.7. Affected by this vulnerability is an unknown functionality in the library lib/sbi/nnrf-handler.c of the component Shared NF-profile Parser. The manipulation results in denial of service. It is possible to launch the attack remotely. The exploit has been made public and could be used. A patch should be applied to remediate this issue.
AnalysisAI
Denial of service in Open5GS NRF (Network Repository Function) through version 2.7.7 allows an authenticated network peer to crash the NRF process with SIGABRT by submitting a crafted SMF or AMF NF-profile registration containing oversized inner-loop arrays. The NRF's shared NF-profile parser in lib/sbi/nnrf-handler.c used reachable ogs_assert() calls - rather than graceful bounds checks - to enforce limits on DNN entries per S-NSSAI slice and TAC range entries per TAI range, making them triggerable by peer-supplied payloads. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network-level access to the 5G core's Service-Based Architecture (SBA) plane and low-privilege credentials sufficient to submit NF registration requests to the NRF Nnrf_NFManagement interface (PR:L per CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VA:L/E:P) characterizes this as low-complexity, network-reachable exploitation requiring only low privileges, with a proof-of-concept exploit available. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious or compromised 5G network function - such as a rogue SMF peer with SBI plane access - submits an NF-profile registration to the NRF containing an S-NSSAI slice with 17 or more DNN entries, exceeding OGS_MAX_NUM_OF_DNN. The unpatched NRF's handle_smf_info() parser hits the ogs_assert() bound check, triggers abort(), and the NRF process terminates with SIGABRT, taking down 5G core NF discovery until the process is restarted. … |
| Remediation | Apply the upstream fix from GitHub PR #4527 (https://github.com/open5gs/open5gs/pull/4527), which replaces the reachable ogs_assert() bounds checks in handle_smf_info() and handle_amf_info() with graceful break-on-overflow logic and adds the nfprofile_inner_lists_overflow() pre-validator in src/nrf/nnrf-handler.c that returns HTTP 400 Bad Request for oversized NFProfiles before they enter the parser. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today