Skip to main content

Open5GS CVE-2026-8744

| EUVDEUVD-2026-30690 LOW
Improper Resource Shutdown or Release (CWE-404)
2026-05-17 VulDB GHSA-pch7-6gr4-gw9w
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 17, 2026 - 10:22 NVD
MEDIUM LOW
CVSS changed
May 17, 2026 - 10:22 NVD
4.3 (MEDIUM) 2.1 (LOW)
Source Code Evidence Fetched
May 17, 2026 - 09:45 vuln.today
Analysis Generated
May 17, 2026 - 09:45 vuln.today

DescriptionCVE.org

A vulnerability was determined in Open5GS up to 2.7.7. Affected is the function ogs_sbi_subscription_data_add/ogs_sbi_nf_service_add in the library /lib/sbi/context.c of the component NRF. Executing a manipulation can lead to denial of service. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This patch is called 819db11a08b9736a3576c4f99ceb28f7eb99523a. A patch should be applied to remediate this issue.

AnalysisAI

Denial of service in Open5GS NRF (Network Repository Function) allows authenticated remote attackers to crash the service by exhausting the nf_service resource pool. Open5GS versions up to 2.7.7 fail to validate pool allocation during NF service registration, triggering assertion failures that terminate the process. Publicly available exploit code exists (GitHub issue #4466). EPSS data not available, not listed in CISA KEV. Patch released via commit 819db11a08b9736a3576c4f99ceb28f7eb99523a, merged in PR #4534.

Technical ContextAI

Open5GS implements 5G core network functions including NRF (Network Repository Function), responsible for service discovery and registration. The vulnerability exists in /lib/sbi/context.c functions ogs_sbi_subscription_data_add and ogs_sbi_nf_service_add, which allocate NF service objects from a fixed-size pool. The code uses ogs_assert() to validate allocations, a pattern that triggers process termination rather than graceful error handling when the pool is exhausted. CWE-404 (Improper Resource Shutdown or Release) applies because the service fails to handle resource exhaustion safely. The SBI (Service Based Interface) context manages 5G service registrations using pre-allocated memory pools with configurable capacity (ogs_app()->pool.nf_service). When parsing NFProfile messages containing nfServices or nfServiceList arrays, the code allocated pool objects without checking for exhaustion until after ogs_assert(), making the service vulnerable to resource exhaustion attacks.

RemediationAI

Apply vendor-released patch by upgrading to Open5GS commit 819db11a08b9736a3576c4f99ceb28f7eb99523a or later, merged via pull request https://github.com/open5gs/open5gs/pull/4534. Patch replaces ogs_assert() with null-pointer checks and graceful error handling, truncating excessive NF service registrations instead of crashing. If immediate patching is infeasible, implement compensating controls: (1) Increase nf_service pool capacity in Open5GS configuration to delay exhaustion (trade-off: higher memory consumption), (2) Rate-limit NF registration requests at network perimeter using firewall rules or API gateway (trade-off: may impact legitimate burst registrations during network recovery), (3) Restrict NRF SBI access to authenticated network functions only via mTLS certificate validation (reduces attack surface but requires PKI infrastructure), (4) Deploy redundant NRF instances with load balancing to maintain service availability during single-instance failures (trade-off: increased operational complexity). Monitor nf_service pool utilization via Open5GS metrics to detect exhaustion attempts before impact.

CVE-2024-40130 CRITICAL POC
9.8 Jul 16

open5gs v2.6.4 is vulnerable to Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2024-40129 CRITICAL POC
9.8 Jul 16

Open5GS v2.6.4 is vulnerable to Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2021-28122 CRITICAL POC
9.8 Mar 10

A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. Rated critical severity (CVSS 9.8

CVE-2021-25863 HIGH POC
8.8 Jan 26

Open5GS 2.1.3 listens on 0.0.0.0:3000 and has a default password of 1423 for the admin account. Rated high severity (CVS

CVE-2023-37023 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contain a reachable assertion in the `Uplink NAS Transport` packet handler. Rated high sev

CVE-2023-37021 HIGH POC
8.6 Jan 22

Open5GS MME version <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37020 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37019 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37018 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37017 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37016 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37015 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the

Share

CVE-2026-8744 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy