Skip to main content

Open5GS EUVDEUVD-2026-28912

| CVE-2026-8186 MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-09 VulDB GHSA-2xj3-jm9w-283r
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 09, 2026 - 12:30 vuln.today
Analysis Generated
May 09, 2026 - 12:30 vuln.today
CVSS changed
May 09, 2026 - 12:22 NVD
5.3 (MEDIUM) 6.9 (MEDIUM)
CVE Published
May 09, 2026 - 12:00 nvd
MEDIUM 6.9

DescriptionCVE.org

A vulnerability was detected in Open5GS up to 2.7.7. This affects the function ogs_sbi_client_send_via_scp_or_sepp in the library lib/sbi/client.c of the component NF. Performing a manipulation results in out-of-bounds read. The attack is possible to be carried out remotely. The patch is named d5bc487fcf9ea87d2b03f2ef95123af344773bfb. It is suggested to install a patch to address this issue.

AnalysisAI

Out-of-bounds read in Open5GS up to version 2.7.7 allows remote attackers to trigger information disclosure via manipulation of the ogs_sbi_client_send_via_scp_or_sepp function in lib/sbi/client.c during Service-Based Interface (SBI) communication. The vulnerability exploits improper bounds checking when extracting paths from URIs, affecting the Network Function (NF) component. CVSS 6.9 (network-accessible, low complexity, no privileges required) with availability impact. Upstream patch commit d5bc487fcf9ea87d2b03f2ef95123af344773bfb available.

Technical ContextAI

Open5GS is a 5G/LTE telecom network core implementation. The vulnerability resides in the SBI client library (lib/sbi/client.c), specifically in the ogs_sbi_client_send_via_scp_or_sepp function which handles Service Communication Proxy (SCP) and Security Edge Protection Proxy (SEPP) message routing in 5G network function communication. The root cause is a CWE-125 (Out-of-bounds Read) condition in URI path extraction logic that lacks proper validation before memory access. The patch adds explicit return-value checking on a URI path extraction operation (rc == false condition), preventing the function from proceeding with unvalidated data. SBI is the standardized service-based interface between 5G network functions (NFs), making this library critical infrastructure for interoperability.

RemediationAI

Upgrade Open5GS to a patched version containing commit d5bc487fcf9ea87d2b03f2ef95123af344773bfb or later. If immediate upgrade is not feasible, apply the upstream patch from https://github.com/open5gs/open5gs/pull/4496 manually to lib/sbi/client.c by adding the rc == false validation check before URI path extraction. As a temporary compensating control, restrict network-level access to SBI client communication ports (typically TCP 7777 for SBI default) to authorized 5G network functions only, using firewall rules to block untrusted peer connections; this reduces attack surface but does not fix the underlying parsing bug and may impact network function discovery features. Validate all NF deployments to ensure SBI interfaces are not inadvertently exposed to external networks.

CVE-2024-40130 CRITICAL POC
9.8 Jul 16

open5gs v2.6.4 is vulnerable to Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2024-40129 CRITICAL POC
9.8 Jul 16

Open5GS v2.6.4 is vulnerable to Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2021-28122 CRITICAL POC
9.8 Mar 10

A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. Rated critical severity (CVSS 9.8

CVE-2021-25863 HIGH POC
8.8 Jan 26

Open5GS 2.1.3 listens on 0.0.0.0:3000 and has a default password of 1423 for the admin account. Rated high severity (CVS

CVE-2023-37023 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contain a reachable assertion in the `Uplink NAS Transport` packet handler. Rated high sev

CVE-2023-37021 HIGH POC
8.6 Jan 22

Open5GS MME version <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37020 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37019 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37018 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37017 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37016 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37015 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the

Share

EUVD-2026-28912 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy