CVE-2026-8729

Vulnerability

The vulnerability exists in Open5GS up to version 2.7.7, specifically in the NRF component's SBI message handling in /lib/sbi/message.c. When parsing a discovery query, the function ogs_sbi_discovery_option_add_service_names asserts that the number of service names is less than OGS_SBI_MAX_NUM_OF_SERVICE_TYPE. An attacker can send a GET request to /nnrf-disc/v1/nf-instances with a service-names parameter containing more than the allowed number of service types, causing the assertion to fail and the NRF process to abort. [1]

Exploitation

The attacker needs network access to the NRF endpoint; no authentication is required. The attack is performed by sending a crafted HTTP/2 GET request with an oversized service-names query parameter. For example, including 81 comma-separated service names triggers the assertion. The connection is reset and the NRF process exits with code 139. [1]

Impact

Successful exploitation results in a denial of service (DoS) of the NRF component, which is a critical part of the 5G core network. The NRF process crashes, disrupting network function discovery and registration services. The impact is limited to availability; no data confidentiality or integrity is compromised. [1]

Mitigation

As of the publication date, no official fix has been released. The project was informed via an issue report but has not responded. Users should monitor the Open5GS repository for a patch. A potential workaround is to implement a reverse proxy or API gateway that validates the service-names parameter length before forwarding requests to the NRF. [1][2]