Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was determined in Open5GS up to 2.7.7. Affected is the function ogs_sbi_subscription_data_add/ogs_sbi_nf_service_add in the library /lib/sbi/context.c of the component NRF. Executing a manipulation can lead to denial of service. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This patch is called 819db11a08b9736a3576c4f99ceb28f7eb99523a. A patch should be applied to remediate this issue.
AnalysisAI
Denial of service in Open5GS NRF (Network Repository Function) allows authenticated remote attackers to crash the service by exhausting the nf_service resource pool. Open5GS versions up to 2.7.7 fail to validate pool allocation during NF service registration, triggering assertion failures that terminate the process. Publicly available exploit code exists (GitHub issue #4466). EPSS data not available, not listed in CISA KEV. Patch released via commit 819db11a08b9736a3576c4f99ceb28f7eb99523a, merged in PR #4534.
Technical ContextAI
Open5GS implements 5G core network functions including NRF (Network Repository Function), responsible for service discovery and registration. The vulnerability exists in /lib/sbi/context.c functions ogs_sbi_subscription_data_add and ogs_sbi_nf_service_add, which allocate NF service objects from a fixed-size pool. The code uses ogs_assert() to validate allocations, a pattern that triggers process termination rather than graceful error handling when the pool is exhausted. CWE-404 (Improper Resource Shutdown or Release) applies because the service fails to handle resource exhaustion safely. The SBI (Service Based Interface) context manages 5G service registrations using pre-allocated memory pools with configurable capacity (ogs_app()->pool.nf_service). When parsing NFProfile messages containing nfServices or nfServiceList arrays, the code allocated pool objects without checking for exhaustion until after ogs_assert(), making the service vulnerable to resource exhaustion attacks.
RemediationAI
Apply vendor-released patch by upgrading to Open5GS commit 819db11a08b9736a3576c4f99ceb28f7eb99523a or later, merged via pull request https://github.com/open5gs/open5gs/pull/4534. Patch replaces ogs_assert() with null-pointer checks and graceful error handling, truncating excessive NF service registrations instead of crashing. If immediate patching is infeasible, implement compensating controls: (1) Increase nf_service pool capacity in Open5GS configuration to delay exhaustion (trade-off: higher memory consumption), (2) Rate-limit NF registration requests at network perimeter using firewall rules or API gateway (trade-off: may impact legitimate burst registrations during network recovery), (3) Restrict NRF SBI access to authenticated network functions only via mTLS certificate validation (reduces attack surface but requires PKI infrastructure), (4) Deploy redundant NRF instances with load balancing to maintain service availability during single-instance failures (trade-off: increased operational complexity). Monitor nf_service pool utilization via Open5GS metrics to detect exhaustion attempts before impact.
open5gs v2.6.4 is vulnerable to Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Open5GS v2.6.4 is vulnerable to Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. Rated critical severity (CVSS 9.8
Open5GS 2.1.3 listens on 0.0.0.0:3000 and has a default password of 1423 for the admin account. Rated high severity (CVS
Open5GS MME versions <= 2.6.4 contain a reachable assertion in the `Uplink NAS Transport` packet handler. Rated high sev
Open5GS MME version <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the
Same weakness CWE-404 – Improper Resource Shutdown or Release
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30690
GHSA-pch7-6gr4-gw9w