CVE-2026-8728

Vulnerability

A denial of service vulnerability exists in Open5GS up to version 2.7.7. The flaw is located in the function ogs_sbi_discovery_option_parse_plmn_list within /lib/sbi/conv.c of the NRF component. When the target-plmn-list (or requester-plmn-list) query parameter contains invalid JSON, ogs_sbi_parse_plmn_list is called with a NULL PlmnList, triggering an assertion failure (ogs_sbi_parse_plmn_list: Assertion 'PlmnList' failed.). This causes the NRF process to crash and exit with code 139 [1]. The vulnerable parser path is reused for both parameters, making the attack possible via either one [1].

Exploitation

An unauthenticated attacker can remotely exploit this vulnerability with no prior access or authentication [1]. The attacker sends an HTTP GET request to the NRF's discovery endpoint (/nnrf-disc/v1/nf-instances) with a malformed target-plmn-list parameter (e.g., target-plmn-list=not-json) [1]. The request does not require any user interaction or special network position beyond reachability to the NRF service. The NRF crashes immediately upon processing the malformed input, as demonstrated in the published exploit steps [1].

Impact

Successful exploitation results in a denial of service condition. The NRF process exits, terminating its service and causing disruption to 5G core network discovery functions that rely on NRF [1]. This can impact network operation until the NRF is restarted. The vulnerability has a CVSS v3 score of 4.3 (Medium) and is publicly disclosed with a proof-of-concept [1].

Mitigation

As of the publication date, no patch is available. The project was notified via an issue report but has not responded [1]. Fixed version not yet released; version 2.7.7 is the last affected version [1]. There is no known workaround provided in the references. Users should monitor the Open5GS repository for updates [2] and consider isolating the NRF service from untrusted networks as a temporary measure.