VYPR
← All advisories
Medium severity4.3NVD Advisory· Published May 30, 2026

CVE-2026-10114

CVE-2026-10114

Description

A vulnerability was determined in Open5GS up to 2.7.7. Affected by this issue is the function handle_scp_info in the library lib/sbi/nnrf-handler.c of the component Shared NF-profile Parser. This manipulation causes out-of-bounds write. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. To fix this issue, it is recommended to deploy a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Open5GS up to 2.7.7 has an out-of-bounds write in handle_scp_info leading to remote crash.

Vulnerability

In Open5GS versions up to 2.7.7, the function handle_scp_info in lib/sbi/nnrf-handler.c does not validate the number of SCP domain entries against OGS_MAX_NUM_OF_SCP_DOMAIN before copying them into a fixed-size array. This causes an out-of-bounds write when an attacker-controlled NF profile contains more than the expected number of entries. The bug is in the shared NF-profile parser used by multiple network functions [1].

Exploitation

An attacker can exploit this vulnerability over the network by sending a crafted NF registration or update request (e.g., a PUT to /nnrf-nfm/v1/nf-instances/{id}) with an scpInfo.scpDomainInfoList containing more than 32 entries. No authentication is required if the NRF is exposed. The steps are detailed in [1] and cause the server to crash with a segmentation fault [1].

Impact

Successful exploitation results in an out-of-bounds write, likely causing a segmentation fault or stack-smashing termination. This leads to denial of service for the affected Open5GS network function. Potential for more severe memory corruption is not ruled out [1].

Mitigation

As of the publication date, a patch is recommended but no specific fixed version has been released. Users should monitor the Open5GS issue tracker [1] for updates and apply any provided fixes. Until then, consider restricting network access to the NRF and other vulnerable endpoints.

References
  1. [Bug]: Shared NF-profile parser overflows `scpInfo.scpDomainInfoList`

AI Insight generated on May 30, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Open5gs/Open5gsreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=2.7.7

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds check on `scp_info.num_of_domain` before writing into a fixed-size array allows out-of-bounds write."

Attack vector

An attacker with network access to an Open5GS NRF endpoint sends a crafted JSON payload containing an `scpInfo.scpDomainInfoList` with more than `OGS_MAX_NUM_OF_SCP_DOMAIN` entries (e.g., 32 entries as shown in the reproduction). The `handle_scp_info()` function iterates over the list and writes each domain name into a fixed-size array without a bounds check, causing an out-of-bounds write. The attack is remote, requires low-privilege access (the NRF accepts unauthenticated NF registration by default), and results in a segmentation fault or stack-smashing termination of the NRF process.

Affected code

The vulnerable function is `handle_scp_info()` in `lib/sbi/nnrf-handler.c`. The bug is a fixed-size array overflow of `scp_info.domain[]` at lines around 588–626, where each attacker-controlled SCP domain entry is written without checking the `OGS_MAX_NUM_OF_SCP_DOMAIN` bound. This is a shared NF-profile parser used by AMF, AUSF, BSF, NSSF, PCF, SMF, UDM, UDR, SCP, and SEPP, not only the NRF.

What the fix does

The advisory does not include a published patch diff, but the recommended fix is to add a bounds check in `handle_scp_info()` so that entries beyond `OGS_MAX_NUM_OF_SCP_DOMAIN` are rejected before any write occurs. The root cause is the missing validation of `scp_info.num_of_domain` against the fixed array size, which allows an attacker-controlled number of entries to overflow the buffer.

Preconditions

  • networkThe attacker must be able to send HTTP requests to an Open5GS NRF endpoint that accepts NF registration (default configuration).
  • inputThe attacker must craft a JSON payload with an `scpInfo.scpDomainInfoList` containing more than `OGS_MAX_NUM_OF_SCP_DOMAIN` entries.

Reproduction

The reproduction steps are documented in [ref_id=1]: send a PUT request to `/nnrf-nfm/v1/nf-instances/fake-scp-nrf` with a JSON body containing 32 entries in `scpInfo.scpDomainInfoList`. The NRF process exits with code 139 (segmentation fault).

Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.