EUVD-2026-33457
GHSA-v3ph-7v5f-jmgp
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was identified in Open5GS up to 2.7.7. This affects an unknown part in the library lib/sbi/nnrf-handler.c of the component Shared NF-profile Parser. Such manipulation leads to denial of service. The attack can be launched remotely. The exploit is publicly available and might be used. It is advisable to implement a patch to correct this issue.
AnalysisAI
Denial-of-service via reachable assertion in Open5GS NRF (Network Repository Function) up to version 2.7.7 allows an authenticated low-privilege network peer to crash the NRF process with SIGABRT by submitting a crafted NFProfile registration payload with oversized inner-list arrays in SMF or AMF info sections. The NRF is a critical singleton service registry in 5G Service-Based Architecture - crashing it disrupts NF discovery for the entire 5G core, making the practical operational impact greater than the A:L CVSS impact rating alone suggests. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires low-privilege authentication (PR:L per CVSS:3.1 vector) to the Open5GS NRF's Nnrf_NFManagement service registration interface - in the 5G SBA context this means possessing valid NF instance credentials or operating a trusted peer NF node (e.g., a compromised SMF or AMF). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.3 (Medium) reflects availability-only impact (C:N/I:N/A:L) with no privilege escalation or data exposure, scoped to the affected NRF process (S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker controlling a compromised SMF peer node within a 5G core deployment connects to the Open5GS NRF's Nnrf_NFManagement HTTP/2 interface using valid NF credentials and submits a crafted NFProfile JSON registration containing an S-NSSAI entry with 17 or more DNN entries in its dnnSmfInfoList, exceeding OGS_MAX_NUM_OF_DNN (16). The NRF parser in lib/sbi/nnrf-handler.c reaches the ogs_assert(dnn_index < OGS_MAX_NUM_OF_DNN) call, fires SIGABRT, and the NRF process terminates, disabling NF discovery for the entire 5G core until the service is restarted. … |
| Remediation | The primary fix is to apply the upstream patch from GitHub PR #4527 (https://github.com/open5gs/open5gs/pull/4527), which replaces the crashing ogs_assert() calls in both handle_smf_info() and handle_amf_info() with graceful bounds checks, and adds a nfprofile_inner_lists_overflow() pre-validation function in src/nrf/nnrf-handler.c that rejects oversized NFProfile registrations with HTTP 400 Bad Request before they reach the parser. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today