Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability has been found in Open5GS up to 2.7.7. Affected is the function ogs_sbi_client_add in the library /lib/sbi/client.c of the component NRF. The manipulation of the argument client_pool leads to denial of service. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Denial of service vulnerability in Open5GS NRF client management (versions ≤2.7.7) allows authenticated remote attackers to crash the Network Repository Function service via malformed client pool arguments. Public exploit code exists (GitHub issue #4464), but vendor has not responded to disclosure. CVSS base score of 4.3 reflects low severity due to limited availability impact and authentication requirement. EPSS data not provided; KEV status not applicable for this unpatched issue.
Technical ContextAI
Open5GS is an open-source implementation of 5G Core and EPC (Evolved Packet Core) network functions. The vulnerability exists in the Service-Based Interface (SBI) client management code (/lib/sbi/client.c, function ogs_sbi_client_add) used by the Network Repository Function (NRF), which maintains service registration and discovery in 5G service-based architecture. The flaw is classified as CWE-404 (Improper Resource Shutdown or Release), indicating the client_pool argument can be manipulated to cause resource exhaustion or improper cleanup, leading to service disruption. The NRF is critical infrastructure for 5G core network operation, handling HTTP/2-based service communications between network functions.
RemediationAI
No vendor-released patch identified at time of analysis - upstream project has not responded to the disclosure in GitHub issue #4464. Primary mitigation: Monitor https://github.com/open5gs/open5gs/ for security patches and upgrade immediately when available. Interim compensating controls require defense-in-depth approach: (1) Restrict NRF access to only authorized network functions using mutual TLS authentication and IP allowlisting - this limits the attack surface to compromised legitimate clients. (2) Implement rate limiting and request validation on NRF SBI endpoints to detect/block malformed client_pool manipulations - may cause false positives if legitimate clients send unexpected parameters. (3) Deploy NRF instances in high-availability configuration with health monitoring to automatically restart crashed instances - reduces downtime but does not prevent exploitation. (4) Enable detailed NRF logging to detect exploitation attempts via anomalous client registration patterns - generates significant log volume in large deployments. (5) Consider network segmentation to isolate NRF from untrusted network functions - may complicate service discovery architecture. Trade-offs: These controls reduce exploitability but do not eliminate the underlying vulnerability; authentication bypass or credential compromise negates most mitigations. For production 5G deployments, evaluate alternative 5G core solutions or defer Open5GS upgrades to non-vulnerable versions once available.
open5gs v2.6.4 is vulnerable to Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Open5GS v2.6.4 is vulnerable to Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. Rated critical severity (CVSS 9.8
Open5GS 2.1.3 listens on 0.0.0.0:3000 and has a default password of 1423 for the admin account. Rated high severity (CVS
Open5GS MME versions <= 2.6.4 contain a reachable assertion in the `Uplink NAS Transport` packet handler. Rated high sev
Open5GS MME version <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Same weakness CWE-404 – Improper Resource Shutdown or Release
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30680
GHSA-qq7j-v673-3qjh