VYPR
← All advisories
Medium severity4.3NVD Advisory· Published May 30, 2026

CVE-2026-10113

CVE-2026-10113

Description

A vulnerability was found in Open5GS up to 2.7.7. Affected by this vulnerability is an unknown functionality in the library lib/sbi/nnrf-handler.c of the component Shared NF-profile Parser. The manipulation results in denial of service. It is possible to launch the attack remotely. The exploit has been made public and could be used. A patch should be applied to remediate this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A denial-of-service vulnerability in Open5GS's shared NF-profile parser allows remote attackers to crash the NRF via oversized inner lists.

Vulnerability

A denial-of-service vulnerability exists in Open5GS versions up to 2.7.7 in the shared NF-profile parser located in lib/sbi/nnrf-handler.c. The parser contains two unbounded inner loops: one for DNN entries per S-NSSAI slice (maximum 16) and one for TAC ranges per TaiRange (maximum 16). When a peer-supplied NF registration or notification contains more entries than these fixed-size budgets, the parser hits an ogs_assert causing a SIGABRT crash [1][2].

Exploitation

An attacker with network access to an Open5GS NRF (or any other NF that consumes NFProfile messages) can trigger the crash remotely without authentication. The exploit is publicly available [2]. The attacker sends a crafted JSON payload (e.g., via curl) containing an amfInfo.taiRangeList[*].tacRangeList with more than 16 TAC ranges or an smfInfo.dnnSmfInfoList with more than 16 DNN entries. The crash occurs during parsing of the oversized list [1][2].

Impact

Successful exploitation results in a denial of service of the affected network function (typically the NRF). The crash is immediate and causes the process to terminate with SIGABRT. No code execution, privilege escalation, or data disclosure is achieved; the impact is limited to service disruption of the 5G core network function [1][2].

Mitigation

A fix has been implemented in pull request #4527 and merged into the Open5GS repository [1]. The fix introduces a two-tier defense: pre-validation in the NRF register path that rejects oversized lists with HTTP 400, and a cap-and-break conversion in the shared parser for defense-in-depth. Users should update to the latest commit or wait for the next release (post-2.7.7). No workaround is documented [1].

References
  1. [NRF/SBI] Reject overflowing NFProfile inner lists with HTTP 400; cap parser by MrBrownieCGN · Pull Request #4527 · open5gs/open5gs
  2. [Bug]: Shared NF-profile parser crashes on oversized `amfInfo.taiRangeList[*].tacRangeList`

AI Insight generated on May 30, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Open5gs/Open5gsreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=2.7.7

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds check on attacker-controlled inner-list lengths in the shared NF-profile parser causes an assertion failure and process crash."

Attack vector

An attacker with network access to the NRF can send a crafted NF registration request (HTTP PUT to `/nnrf-nfm/v1/nf-instances/...`) containing an oversized `tacRangeList` or `dnnSmfInfoList` within the `NFProfile` JSON body [ref_id=2]. The shared parser in `lib/sbi/nnrf-handler.c` iterates over the attacker-supplied list without bounds checking, hits `ogs_assert(tac_index < OGS_MAX_NUM_OF_TAI)` at line 791, and crashes the NRF process with SIGABRT [ref_id=1][ref_id=2]. The same parser is reachable from other NF-profile consumption paths (e.g., nf-status-notify, discovery responses), so the crash can be triggered from multiple trust boundaries [ref_id=2].

Affected code

The vulnerability resides in the shared NF-profile parser in `lib/sbi/nnrf-handler.c`, specifically in the `handle_amf_info()` and `handle_smf_info()` functions. These functions contain unbounded inner loops that process `amfInfo.taiRangeList[*].tacRangeList` and `smfInfo.dnnSmfInfoList` without checking against the fixed-size internal arrays, leading to an assertion failure and process crash.

What the fix does

The patch introduces a two-tier defence [ref_id=1]. Tier 1 adds a pre-validation function `nfprofile_inner_lists_overflow()` in `src/nrf/nnrf-handler.c` that checks inner-list lengths before processing; if they exceed `OGS_MAX_NUM_OF_DNN` (16) or `OGS_MAX_NUM_OF_TAI` (16), the registration is rejected with HTTP 400 Bad Request. Tier 2 converts the `ogs_assert()` calls in `handle_smf_info()` and `handle_amf_info()` into a graceful cap-and-break loop, so that even if oversized data reaches the shared parser via other code paths (e.g., NRF notifications), the process does not abort. This closes the denial-of-service vector while preserving correct behaviour for notification consumers that cannot reject incoming data.

Preconditions

  • networkAttacker must be able to send HTTP requests to the NRF endpoint
  • inputAttacker must craft a JSON NFProfile with more than 16 entries in tacRangeList or dnnSmfInfoList

Reproduction

The reproduction steps are documented in [ref_id=2]. An attacker sends an HTTP PUT request to the NRF with a payload containing 17 `tacRangeList` entries. The NRF process crashes with exit code 139 and the log shows the assertion failure at `lib/sbi/nnrf-handler.c:791`.

Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.