CVE-2026-8744
Description
A vulnerability was determined in Open5GS up to 2.7.7. Affected is the function ogs_sbi_subscription_data_add/ogs_sbi_nf_service_add in the library /lib/sbi/context.c of the component NRF. Executing a manipulation can lead to denial of service. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This patch is called 819db11a08b9736a3576c4f99ceb28f7eb99523a. A patch should be applied to remediate this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Open5GS NRF crashes via assertion failure when fixed-size pools are exhausted, enabling remote denial of service.
Vulnerability
The vulnerability resides in the NRF component of Open5GS (up to version 2.7.7). The functions ogs_sbi_nf_service_add and ogs_sbi_subscription_data_add in lib/sbi/context.c allocate from fixed-size pools and use ogs_assert to check success. When these pools are exhausted, the assertion fails and the process aborts, leading to denial of service.
Exploitation
An attacker can remotely exhaust the NF service pool by sending a crafted PUT /nnrf-nfm/v1/nf-instances/{id} request with an oversized nfServices list [2][3]. Alternatively, the subscription data pool can be exhausted by flooding POST /nnrf-nfm/v1/subscriptions requests [4]. No authentication is required.
Impact
Successful exploitation causes the NRF process to crash, resulting in denial of service. This disrupts core network functions such as NF registration and discovery.
Mitigation
The issue is fixed by commit 819db11a08b9736a3576c4f99ceb28f7eb99523a [1], which replaces the ogs_assert calls with graceful NULL-return and error logging. Users should upgrade to a patched version of Open5GS. There is no workaround if the fix cannot be applied immediately.
- sbi: update NFProfile incrementally · open5gs/open5gs@819db11
- [SBI] Replace nf_service_pool assert with graceful cap-and-break by MrBrownieCGN · Pull Request #4534 · open5gs/open5gs
- [Bug]: NRF crash in `ogs_sbi_nf_service_add()` by exhausting the NF service pool
- [Bug]: NRF crash on `POST /nnrf-nfm/v1/subscriptions` by exhausting the subscription pool
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
1819db11a08b9sbi: update NFProfile incrementally
6 files changed · +213 −36
lib/sbi/context.c+28 −5 modified@@ -1477,13 +1477,26 @@ ogs_sbi_nf_service_t *ogs_sbi_nf_service_add( ogs_assert(name); ogs_pool_alloc(&nf_service_pool, &nf_service); - ogs_assert(nf_service); + if (!nf_service) { + ogs_error("OVERFLOW nf_service_pool [pool:%llu]", + (unsigned long long)ogs_app()->pool.nf_service); + return NULL; + } memset(nf_service, 0, sizeof(ogs_sbi_nf_service_t)); nf_service->id = ogs_strdup(id); - ogs_assert(nf_service->id); + if (!nf_service->id) { + ogs_error("ogs_strdup() failed for nf_service->id"); + ogs_pool_free(&nf_service_pool, nf_service); + return NULL; + } nf_service->name = ogs_strdup(name); - ogs_assert(nf_service->name); + if (!nf_service->name) { + ogs_error("ogs_strdup() failed for nf_service->name"); + ogs_free(nf_service->id); + ogs_pool_free(&nf_service_pool, nf_service); + return NULL; + } nf_service->scheme = scheme; ogs_assert(nf_service->scheme); @@ -1676,7 +1689,9 @@ ogs_sbi_nf_info_t *ogs_sbi_nf_info_add( ogs_pool_alloc(&nf_info_pool, &nf_info); if (!nf_info) { - ogs_fatal("ogs_pool_alloc() failed"); + ogs_error("OVERFLOW nf_info_pool [pool:%llu]", + (unsigned long long)(ogs_app()->pool.nf * + OGS_MAX_NUM_OF_NF_INFO)); return NULL; } memset(nf_info, 0, sizeof(*nf_info)); @@ -1937,7 +1952,15 @@ ogs_sbi_nf_service_t *ogs_sbi_nf_service_build_default( ogs_assert(scheme); nf_service = ogs_sbi_nf_service_add(nf_instance, id, name, scheme); - ogs_assert(nf_service); + if (!nf_service) { + ogs_error("Cannot build default NF service [%s]: " + "nf_service_pool exhausted at startup. " + "Increase 'max.peer' (current pool capacity = " + "max.peer * 16 = %llu).", + name, + (unsigned long long)ogs_app()->pool.nf_service); + return NULL; + } hostname = NULL; for (server = ogs_sbi_server_first();
lib/sbi/nf-sm.c+20 −1 modified@@ -30,6 +30,21 @@ static void handle_nf_profile_retrieval( ogs_assert(nf_instance_id); ogs_assert(NFProfile); + if (!NFProfile->nf_instance_id) { + ogs_error("No NFProfile.NFInstanceId"); + return; + } + + if (!NFProfile->nf_type) { + ogs_error("No NFProfile.NFType"); + return; + } + + if (!NFProfile->nf_status) { + ogs_error("No NFProfile.NFStatus"); + return; + } + nf_instance = ogs_sbi_nf_instance_find(nf_instance_id); if (nf_instance) { /* already have this nf_instance; done */ @@ -46,7 +61,11 @@ static void handle_nf_profile_retrieval( ogs_sbi_nf_instance_set_id(nf_instance, nf_instance_id); - ogs_nnrf_nfm_handle_nf_profile(nf_instance, NFProfile); + if (ogs_nnrf_nfm_handle_nf_profile(nf_instance, NFProfile) == false) { + ogs_error("[%s] (NRF-profile-get) Invalid NFProfile", nf_instance_id); + ogs_sbi_nf_instance_remove(nf_instance); + return; + } /* verify against our subscription list that we want to save this * nf instance to our context */
lib/sbi/nnrf-handler.c+106 −26 modified@@ -23,9 +23,9 @@ static void handle_nf_service( ogs_sbi_nf_service_t *nf_service, OpenAPI_nf_service_t *NFService); static bool handle_smf_info( ogs_sbi_nf_instance_t *nf_instance, OpenAPI_smf_info_t *SmfInfo); -static void handle_scp_info( +static bool handle_scp_info( ogs_sbi_nf_instance_t *nf_instance, OpenAPI_scp_info_t *ScpInfo); -static void handle_sepp_info( +static bool handle_sepp_info( ogs_sbi_nf_instance_t *nf_instance, OpenAPI_sepp_info_t *SeppInfo); static bool handle_amf_info( ogs_sbi_nf_instance_t *nf_instance, OpenAPI_amf_info_t *AmfInfo); @@ -251,7 +251,11 @@ bool ogs_nnrf_nfm_handle_nf_profile( nf_instance, NFService->service_instance_id, NFService->service_name, NFService->scheme); - ogs_assert(nf_service); + if (!nf_service) { + ogs_error("Failed to add NFService [%s]", + NFService->service_instance_id); + return false; + } } ogs_sbi_nf_service_clear(nf_service); @@ -294,7 +298,11 @@ bool ogs_nnrf_nfm_handle_nf_profile( nf_instance, NFService->service_instance_id, NFService->service_name, NFService->scheme); - ogs_assert(nf_service); + if (!nf_service) { + ogs_error("Failed to add NFService [%s]", + NFService->service_instance_id); + return false; + } } ogs_sbi_nf_service_clear(nf_service); @@ -325,10 +333,12 @@ bool ogs_nnrf_nfm_handle_nf_profile( handle_amf_info(nf_instance, AmfInfoMap->value) == false) return false; } - if (NFProfile->scp_info) - handle_scp_info(nf_instance, NFProfile->scp_info); - if (NFProfile->sepp_info) - handle_sepp_info(nf_instance, NFProfile->sepp_info); + if (NFProfile->scp_info && + handle_scp_info(nf_instance, NFProfile->scp_info) == false) + return false; + if (NFProfile->sepp_info && + handle_sepp_info(nf_instance, NFProfile->sepp_info) == false) + return false; return true; } @@ -458,7 +468,10 @@ static bool handle_smf_info( nf_info = ogs_sbi_nf_info_add( &nf_instance->nf_info_list, OpenAPI_nf_type_SMF); - ogs_assert(nf_info); + if (!nf_info) { + ogs_error("Failed to add SMF nfInfo"); + return false; + } sNssaiSmfInfoList = SmfInfo->s_nssai_smf_info_list; OpenAPI_list_for_each(sNssaiSmfInfoList, node) { @@ -614,7 +627,20 @@ static bool handle_smf_info( return true; } -static void handle_scp_info( +static void scp_info_free(ogs_sbi_scp_info_t *scp_info) +{ + int i; + + ogs_assert(scp_info); + + for (i = 0; i < scp_info->num_of_domain; i++) { + ogs_free(scp_info->domain[i].name); + ogs_free(scp_info->domain[i].fqdn); + } + memset(scp_info, 0, sizeof(*scp_info)); +} + +static bool handle_scp_info( ogs_sbi_nf_instance_t *nf_instance, OpenAPI_scp_info_t *ScpInfo) { ogs_sbi_nf_info_t *nf_info = NULL; @@ -712,13 +738,19 @@ static void handle_scp_info( scp_info.num_of_domain) { nf_info = ogs_sbi_nf_info_add( &nf_instance->nf_info_list, OpenAPI_nf_type_SCP); - ogs_assert(nf_info); + if (!nf_info) { + ogs_error("Failed to add SCP nfInfo"); + scp_info_free(&scp_info); + return false; + } memcpy(&nf_info->scp, &scp_info, sizeof(scp_info)); } + + return true; } -static void handle_sepp_info( +static bool handle_sepp_info( ogs_sbi_nf_instance_t *nf_instance, OpenAPI_sepp_info_t *SeppInfo) { ogs_sbi_nf_info_t *nf_info = NULL; @@ -768,14 +800,19 @@ static void handle_sepp_info( if (http.presence || https.presence) { nf_info = ogs_sbi_nf_info_add( &nf_instance->nf_info_list, OpenAPI_nf_type_SEPP); - ogs_assert(nf_info); + if (!nf_info) { + ogs_error("Failed to add SEPP nfInfo"); + return false; + } nf_info->sepp.http.presence = http.presence; nf_info->sepp.http.port = http.port; nf_info->sepp.https.presence = https.presence; nf_info->sepp.https.port = https.port; } + + return true; } static bool handle_amf_info( @@ -798,7 +835,10 @@ static bool handle_amf_info( nf_info = ogs_sbi_nf_info_add( &nf_instance->nf_info_list, OpenAPI_nf_type_AMF); - ogs_assert(nf_info); + if (!nf_info) { + ogs_error("Failed to add AMF nfInfo"); + return false; + } nf_info->amf.amf_set_id = ogs_uint64_from_string_hexadecimal( AmfInfo->amf_set_id); @@ -1204,6 +1244,7 @@ bool ogs_nnrf_nfm_handle_nf_status_notify( OpenAPI_notification_event_type_NF_REGISTERED) { OpenAPI_nf_profile_t *NFProfile = NULL; + bool nf_instance_created = false; NFProfile = NotificationData->nf_profile; if (!NFProfile) { @@ -1254,6 +1295,7 @@ bool ogs_nnrf_nfm_handle_nf_status_notify( ogs_sbi_nf_instance_set_id( nf_instance, message.h.resource.component[1]); ogs_sbi_nf_fsm_init(nf_instance); + nf_instance_created = true; ogs_info("[%s] (NRF-notify) NF registered", nf_instance->id); } else { @@ -1267,7 +1309,31 @@ bool ogs_nnrf_nfm_handle_nf_status_notify( } } - ogs_nnrf_nfm_handle_nf_profile(nf_instance, NFProfile); + if (ogs_nnrf_nfm_handle_nf_profile(nf_instance, NFProfile) == false) { + ogs_error("[%s] (NRF-notify) Invalid NFProfile [type:%s]", + NFProfile->nf_instance_id, + OpenAPI_nf_type_ToString(NFProfile->nf_type)); + + /* + * ogs_nnrf_nfm_handle_nf_profile() rebuilds the NF profile in + * place. If parsing fails for a newly created cache entry, remove + * it because it may contain a partial profile. If the entry + * already existed, keep it in the registry to avoid deleting a + * previously usable local cache entry because of one bad notify. + */ + if (nf_instance_created == true) { + ogs_sbi_nf_fsm_fini(nf_instance); + ogs_sbi_nf_instance_remove(nf_instance); + } + + ogs_assert(true == + ogs_sbi_server_send_error( + stream, OGS_SBI_HTTP_STATUS_BAD_REQUEST, + recvmsg, "Invalid NFProfile", + NFProfile->nf_instance_id, NULL)); + ogs_sbi_header_free(&header); + return false; + } ogs_info("[%s] (NRF-notify) NF Profile updated [type:%s]", nf_instance->id, @@ -1334,6 +1400,7 @@ void ogs_nnrf_disc_handle_nf_discover_search_result( OpenAPI_list_for_each(SearchResult->nf_instances, node) { OpenAPI_nf_profile_t *NFProfile = NULL; + bool nf_instance_created = false; if (!node->data) continue; @@ -1366,27 +1433,40 @@ void ogs_nnrf_disc_handle_nf_discover_search_result( ogs_sbi_nf_instance_set_id(nf_instance, NFProfile->nf_instance_id); ogs_sbi_nf_fsm_init(nf_instance); + nf_instance_created = true; ogs_info("[%s] (NRF-discover) NF registered [type:%s]", - nf_instance->id, - OpenAPI_nf_type_ToString(nf_instance->nf_type)); + NFProfile->nf_instance_id, + OpenAPI_nf_type_ToString(NFProfile->nf_type)); } else { ogs_warn("[%s] (NRF-discover) NF has already been added [type:%s]", - nf_instance->id, - OpenAPI_nf_type_ToString(nf_instance->nf_type)); + NFProfile->nf_instance_id, + OpenAPI_nf_type_ToString(NFProfile->nf_type)); if (!OGS_FSM_CHECK(&nf_instance->sm, ogs_sbi_nf_state_registered)) { ogs_error("[%s] (NRF-notify) NF invalid state [type:%s]", - nf_instance->id, - OpenAPI_nf_type_ToString(nf_instance->nf_type)); + NFProfile->nf_instance_id, + OpenAPI_nf_type_ToString(NFProfile->nf_type)); } } if (NF_INSTANCE_ID_IS_OTHERS(nf_instance->id)) { if (ogs_nnrf_nfm_handle_nf_profile( nf_instance, NFProfile) == false) { ogs_error("[%s] (NRF-discover) Invalid NFProfile [type:%s]", - nf_instance->id, + NFProfile->nf_instance_id, OpenAPI_nf_type_ToString(NFProfile->nf_type)); + + /* + * Do not leave a newly created partial NFProfile in the + * registry. If the entry already existed, keep it to avoid + * deleting a previously usable local cache entry because of + * one bad discovery result. + */ + if (nf_instance_created == true) { + ogs_sbi_nf_fsm_fini(nf_instance); + ogs_sbi_nf_instance_remove(nf_instance); + } + continue; } @@ -1413,15 +1493,15 @@ void ogs_nnrf_disc_handle_nf_discover_search_result( } else ogs_warn("[%s] NF Instance validity-time should not 0 " "[type:%s]", - nf_instance->id, + NFProfile->nf_instance_id, nf_instance->nf_type ? - OpenAPI_nf_type_ToString(nf_instance->nf_type) : + OpenAPI_nf_type_ToString(NFProfile->nf_type) : "NULL"); ogs_info("[%s] (NF-discover) NF Profile updated " "[type:%s validity:%ds]", - nf_instance->id, - OpenAPI_nf_type_ToString(nf_instance->nf_type), + NFProfile->nf_instance_id, + OpenAPI_nf_type_ToString(NFProfile->nf_type), nf_instance->time.validity_duration); } }
src/nrf/nf-sm.c+27 −2 modified@@ -260,8 +260,33 @@ void nrf_nf_state_registered(ogs_fsm_t *s, nrf_event_t *e) handled = nrf_nnrf_handle_nf_update( nf_instance, stream, message); - if (handled == false) - OGS_FSM_TRAN(s, nrf_nf_state_exception); + if (handled == false) { + ogs_error("[%s] Invalid NF update [type:%s] - " + "keeping existing registration", + nf_instance->id, + OpenAPI_nf_type_ToString( + nf_instance->nf_type)); + /* + * ogs_nnrf_nfm_handle_nf_profile() now guarantees + * that the live nf_instance is unchanged on failure + * (shadow-swap rebuild). nrf_nnrf_handle_nf_update() + * has already sent the HTTP error response, so we + * keep the existing registration intact - treating + * a malformed PUT/PATCH update as an implicit + * de-registration would evict an otherwise healthy + * peer because of one bad message. + * + * The previous behaviour was to transition to + * nrf_nf_state_exception, which causes the FSM + * dispatcher in nrf_state_operational() to call + * nrf_nf_fsm_fini() + ogs_sbi_nf_instance_remove(). + * That eviction is the correct response for + * nrf_nf_state_will_register (initial registration + * never completed), but is wrong for + * nrf_nf_state_registered (the registration is + * still valid - only this one update was bad). + */ + } break; CASE(OGS_SBI_HTTP_METHOD_DELETE)
src/nrf/nnrf-handler.c+24 −2 modified@@ -122,11 +122,20 @@ bool nrf_nnrf_handle_nf_register(ogs_sbi_nf_instance_t *nf_instance, } if (ogs_nnrf_nfm_handle_nf_profile(nf_instance, NFProfile) == false) { - ogs_error("[%s] Invalid NFProfile", nf_instance->id); + ogs_error("[%s] Invalid NFProfile", NFProfile->nf_instance_id); + /* + * Do not finalize or remove nf_instance here. This handler is called + * from the NRF NF state machine. The caller performs OGS_FSM_TRAN() + * on &nf_instance->sm immediately after this function returns, so + * freeing nf_instance here would cause a use-after-free. + * + * Return failure and let the FSM dispatcher perform cleanup after the + * transition to nrf_nf_state_exception. + */ ogs_assert(true == ogs_sbi_server_send_error( stream, OGS_SBI_HTTP_STATUS_BAD_REQUEST, - recvmsg, "Invalid NFProfile", nf_instance->id, NULL)); + recvmsg, "Invalid NFProfile", NFProfile->nf_instance_id, NULL)); return false; } @@ -1473,6 +1482,7 @@ static void handle_nf_discover_search_result( OpenAPI_list_for_each(SearchResult->nf_instances, node) { OpenAPI_nf_profile_t *NFProfile = NULL; + bool nf_instance_created = false; if (!node->data) continue; @@ -1504,6 +1514,7 @@ static void handle_nf_discover_search_result( ogs_assert(nf_instance); ogs_sbi_nf_instance_set_id(nf_instance, NFProfile->nf_instance_id); + nf_instance_created = true; /* * If nrf_nf_fsm_init() is not executed, nf_instance->sm is NULL. @@ -1528,6 +1539,17 @@ static void handle_nf_discover_search_result( ogs_error("[%s] (NF-discover) Invalid NFProfile [type:%s]", NFProfile->nf_instance_id, OpenAPI_nf_type_ToString(NFProfile->nf_type)); + + /* + * Only roll back nf_instances we just created here. A + * pre-existing cache entry will be corrected by the next + * inter-NRF discovery cycle; removing it now would cause + * a temporary blackhole. (No fsm_fini: this code path + * never calls nrf_nf_fsm_init() for newly added entries + * per the comment at line 1517-1522, so sm is NULL.) + */ + if (nf_instance_created) + ogs_sbi_nf_instance_remove(nf_instance); continue; }
src/nrf/nrf-sm.c+8 −0 modified@@ -191,6 +191,14 @@ void nrf_state_operational(ogs_fsm_t *s, nrf_event_t *e) ogs_error("[%s] State machine exception", nf_instance->id); + /* + * Handlers invoked from the NF FSM must not free + * nf_instance before returning because the FSM + * transition writes to &nf_instance->sm. Cleanup + * of failed registration/update attempts is + * centralized here, after ogs_fsm_dispatch() + * completes. + */ nrf_nf_fsm_fini(nf_instance); ogs_sbi_nf_instance_remove(nf_instance); }
Vulnerability mechanics
Root cause
"Missing error handling for memory allocation failures in `ogs_sbi_nf_service_add` and `ogs_sbi_nf_info_add` causes `ogs_assert()` to abort the process when the pool is exhausted, leading to denial of service."
Attack vector
An attacker with low-privileged network access to the NRF can send a crafted NFProfile containing an excessive number of `nfServices` or `nfInfo` entries. When the internal memory pool for `ogs_sbi_nf_service_t` or `ogs_sbi_nf_info_t` objects is exhausted, the previously unconditional `ogs_assert()` calls in `ogs_sbi_nf_service_add` [patch_id=419985, lib/sbi/context.c] and `ogs_sbi_nf_info_add` abort the process, causing a denial of service. The attack is remote and requires no authentication beyond a valid subscription or discovery relationship with the NRF.
Affected code
The vulnerability is in `ogs_sbi_nf_service_add` and `ogs_sbi_nf_info_add` in `lib/sbi/context.c`, where `ogs_assert()` was used instead of error-return checks on pool allocation and string duplication. The callers in `lib/sbi/nnrf-handler.c` (`ogs_nnrf_nfm_handle_nf_profile`) and `src/nrf/nf-sm.c` (`nrf_nf_state_registered`) are also affected because they previously relied on the assertion to guarantee non-NULL returns.
What the fix does
The patch replaces `ogs_assert(nf_service)` and `ogs_assert(nf_info)` with proper NULL-return checks and error logging in `ogs_sbi_nf_service_add` and `ogs_sbi_nf_info_add` [patch_id=419985, lib/sbi/context.c]. Callers in `ogs_nnrf_nfm_handle_nf_profile` now propagate the failure upward instead of crashing. The NRF state machine (`nrf_nf_state_registered`) no longer transitions to the exception state on a bad update, keeping the existing valid registration intact. Newly created cache entries that fail profile parsing are removed, while pre-existing entries are preserved to avoid blackholing a healthy peer due to one malformed message.
Preconditions
- networkAttacker must have network access to the NRF endpoint.
- authAttacker must be able to send NF register/update/discover requests (low-privileged access).
- inputAttacker must craft an NFProfile with enough nfService or nfInfo entries to exhaust the internal memory pool.
Reproduction
The public PoC references (issues #4465 and #4466) describe that sending a malformed or oversized NFProfile to the NRF triggers the crash. No standalone exploit script is provided in the bundle. To reproduce, an attacker would register an NF instance with a profile containing an excessive number of `nfService` entries until the `nf_service_pool` is exhausted, causing the NRF process to abort on the `ogs_assert()` failure.
Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/open5gs/open5gs/commit/819db11a08b9736a3576c4f99ceb28f7eb99523anvdPatch
- github.com/open5gs/open5gs/pull/4534nvdIssue TrackingPatch
- github.com/open5gs/open5gs/issues/4465nvdExploitIssue Tracking
- github.com/open5gs/open5gs/issues/4466nvdExploitIssue Tracking
- vuldb.com/submit/817029nvdThird Party AdvisoryVDB Entry
- vuldb.com/submit/817030nvdThird Party AdvisoryVDB Entry
- vuldb.com/vuln/364331nvdThird Party AdvisoryVDB Entry
- vuldb.com/vuln/364331/ctinvdPermissions RequiredVDB Entry
News mentions
0No linked articles in our index yet.