CVE-2026-8731

Vulnerability

The vulnerability resides in the NRF (Network Repository Function) component of Open5GS versions up to 2.7.7. Specifically, in the function ogs_sbi_client_add in /lib/sbi/client.c, when processing POST /nnrf-nfm/v1/subscriptions, the code allocates a new SBI client from a fixed-size pool (client_pool). If the pool is exhausted (default size 64), the function returns NULL, and the subsequent ogs_assert(client) call triggers an assertion failure, crashing the NRF process. The issue is triggered by sending multiple subscription requests with distinct notification URI hosts, each requiring a separate client [1].

Exploitation

An unauthenticated remote attacker can exploit this by sending a series of valid POST /nnrf-nfm/v1/subscriptions requests, each with a different nfStatusNotificationUri host. With the default client_pool size of 64, after 64 unique hosts, the pool is exhausted, and the next request causes a crash. No authentication is required, and the attack can be carried out over the network [1].

Impact

Successful exploitation leads to a denial of service (DoS) of the NRF function, causing the 5G core network component to crash and become unavailable. This disrupts network registration, session management, and other critical functions that rely on NRF. No data integrity or confidentiality is compromised [1].

Mitigation

As of the disclosure date, no official patch has been released by the Open5GS project (the issue was reported but not addressed). A potential workaround is to increase the SBI client pool size by adjusting the max.peer configuration parameter, which indirectly controls the pool size. Additionally, rate-limiting or filtering subscription requests can reduce the exposure. Users are advised to monitor the project for updates [1].