VYPR
← All advisories
Medium severity4.3NVD Advisory· Published May 31, 2026

CVE-2026-10156

CVE-2026-10156

Description

A vulnerability was determined in Open5GS up to 2.7.7. This affects the function handle_amf_info in the library /lib/sbi/nnrf-handler.c of the component nf-instances Endpoint. Executing a manipulation of the argument nf_info_pool can lead to resource consumption. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. Applying a patch is advised to resolve this issue. The issue report is flagged as already-fixed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Open5GS up to 2.7.7 has a resource exhaustion vulnerability in handle_amf_info() via oversized amfInfoList, leading to denial of service.

Vulnerability

A resource exhaustion vulnerability exists in Open5GS versions up to 2.7.7 in the handle_amf_info() function within /lib/sbi/nnrf-handler.c. The function allocates an ogs_sbi_nf_info_t structure from a fixed-size pool (nf_info_pool) for each entry in the amfInfoList of an NFProfile. The pool is initialized with a default size of 512 (64 * 8). An attacker can cause the pool to be exhausted by providing an oversized amfInfoList via the NRF NF-instances endpoint, leading to an assertion failure and crash [1].

Exploitation

An attacker can trigger the vulnerability remotely without authentication by sending a crafted PUT request to /nnrf-nfm/v1/nf-instances/{nfInstanceId} with an NFProfile containing a large amfInfoList. Alternatively, in an inter-PLMN scenario, a malicious Home-NRF can return an oversized SearchResult.nfInstances[*].amfInfoList payload in response to a GET /nnrf-disc/v1/nf-instances request, causing the client to exhaust its pool. No user interaction is required beyond the network request [1].

Impact

Successful exploitation causes the Open5GS NRF process to crash due to an assertion abort when ogs_pool_alloc() returns NULL after pool exhaustion. This results in a denial of service (DoS) of the NRF component, disrupting 5G core network functions that depend on it. The vulnerability is remotely exploitable and has a CVSS v3 score of 4.3 (Medium) [1].

Mitigation

The issue is reported as already-fixed in the Open5GS repository. Users should update to a version later than 2.7.7 or apply the relevant patch commit. No workaround is documented; upgrading is the recommended action. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].

References
  1. [Bug]: NRF crash by exhausting the NF-info pool through `amfInfoList`

AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Open5gs/Open5gsreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=2.7.7

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input validation on the size of `NFProfile.amfInfoList` allows a remote attacker to exhaust the fixed-size `nf_info_pool`, causing an assertion abort and NRF crash."

Attack vector

An attacker sends a PUT request to `/nnrf-nfm/v1/nf-instances/{nfInstanceId}` with a crafted `NFProfile.amfInfoList` containing more than 512 entries. Each entry triggers an allocation from the fixed-size `nf_info_pool`; when the pool is exhausted, `ogs_sbi_nf_info_add()` returns NULL and `handle_amf_info()` hits an `ogs_assert()` crash, terminating the NRF process. The same crash is also reachable via inter-PLMN discovery when a malicious Home-NRF returns an oversized `SearchResult.nfInstances[*].amfInfoList` payload. [ref_id=1]

Affected code

The vulnerability resides in `handle_amf_info()` in `/lib/sbi/nnrf-handler.c` (line 719) and the pool allocation in `ogs_sbi_nf_info_add()` in `/lib/sbi/context.c` (lines 1666-1677). The fixed-size `nf_info_pool` is initialized to 512 entries (64 × 8) in `/lib/sbi/context.c:62`.

What the fix does

The advisory does not include a patch diff, but states that applying a patch is advised and the issue is flagged as already-fixed. The fix should validate the size of the incoming `amfInfoList` before iterating over entries, rejecting oversized payloads with a normal HTTP error instead of allowing the fixed-size pool to be exhausted and triggering an assertion abort. [ref_id=1]

Preconditions

  • networkThe attacker must be able to send HTTP requests to the NRF endpoint (direct registration path) or control a Home-NRF that responds to inter-PLMN discovery queries (client-response path).
  • authNo authentication is required for the direct PUT registration path; the attacker only needs network access to the NRF.

Reproduction

The public PoC in [ref_id=1] provides reproduction steps. For direct registration: generate a payload with 520 `amfInfoList` entries, send a PUT to `/nnrf-nfm/v1/nf-instances/{nfInstanceId}` with `--http2-prior-knowledge`, and observe the NRF exit with code 139 and the fatal log message. For inter-PLMN discovery: configure a fake Home-NRF to return an oversized `amfInfoList`, send a GET to `/nnrf-disc/v1/nf-instances` with the `hnrf-uri` parameter, and observe the same crash.

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.