MEDIUM 4.3

CVE-2026-10113: Open5GS NF-Profile Parser Denial of Service Vulnerability

Open5GS, an open-source 5G core network software suite, contains a vulnerability in its Shared NF-profile Parser component that can be exploited to disrupt service availability. An attacker with network access and valid authentication credentials can trigger a denial of service condition by manipulating the NF-profile parsing logic. The vulnerability affects Open5GS versions up to 2.7.7, and public exploit information is available, increasing the risk of active exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-404
Affected products
0 configuration(s)
Published / Modified
2026-05-30 / 2026-06-17

NVD description (verbatim)

A vulnerability was found in Open5GS up to 2.7.7. Affected by this vulnerability is an unknown functionality in the library lib/sbi/nnrf-handler.c of the component Shared NF-profile Parser. The manipulation results in denial of service. It is possible to launch the attack remotely. The exploit has been made public and could be used. A patch should be applied to remediate this issue.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10113 resides in the lib/sbi/nnrf-handler.c file within Open5GS's Shared NF-profile Parser, responsible for handling NF (Network Function) profile information in the 5G Service Based Interface (SBI). The vulnerability stems from improper validation of profile data (CWE-404: Improper Resource Validation), allowing authenticated remote attackers to craft malformed NF-profile messages that cause the parser to crash or enter an unresponsive state. The attack requires network-level access to the SBI and valid credentials, limiting the immediate threat surface but affecting any deployment that exposes the NF-profile endpoint to untrusted network segments.

Business impact

Organizations operating Open5GS-based 5G core networks face potential service interruptions if this vulnerability is exploited. Since 5G core components typically handle critical network routing and session management, a successful denial of service could disrupt mobile subscriber connectivity, impact network slicing operations, and cascade into service availability issues for downstream applications. Outages could affect emergency services, enterprise mobile services, and revenue-generating services, though the attack requires authenticated access, limiting opportunistic threat actors.

Affected systems

Open5GS versions up to and including 2.7.7 are confirmed vulnerable. The vulnerability is present in the SBI component's NF-profile handling, meaning any deployment using Open5GS with SBI interfaces and permitting authenticated remote connections is at risk. Specifically vulnerable components include the Network Repository Function (NRF) handler and any NF that exposes SBI endpoints. Verify your deployed version against the Open5GS release history to determine exposure.

Exploitability

This vulnerability carries a CVSS v3.1 score of 4.3 (MEDIUM severity) with a vector reflecting network accessibility, low attack complexity, and requirement for low-level authentication privileges. While the attack requires valid credentials (authenticated access), the network-attack vector and public availability of exploit information increase practical exploitability. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, but public disclosure means active scanning and exploitation attempts are plausible within environments where attackers have already achieved authenticated access or compromised credentials.

Remediation

Upgrade Open5GS to a patched version released after version 2.7.7. Verify the exact patched version number in the official Open5GS security advisory and release notes. Additionally, implement network segmentation to restrict SBI access to trusted NF instances only, and enforce strict authentication controls to reduce the likelihood of credential compromise. Monitor for unexpected NF-profile parsing errors in logs.

Patch guidance

Contact the Open5GS project through its official repository (github.com/open5gs/open5gs) or security contacts to obtain the confirmed patched version number and release date. Apply patches in a staged manner, testing in a lab environment replicating your SBI topology before production deployment. If a production patch window is unavailable, consider isolating non-critical NF instances or implementing firewalls to restrict NF-profile endpoint access. Document your patching timeline and track completion across all Open5GS deployments in your environment.

Detection guidance

Monitor for repeated NF-profile parsing errors, application crashes, or NRF handler exceptions in Open5GS logs. Track connection patterns to the SBI endpoints; sudden spikes in failed authentication or malformed profile submission attempts may indicate reconnaissance or exploitation. Enable debug logging for the nnrf-handler component if available. Network-based detection should focus on identifying anomalous SBI message structures or oversized profile payloads. Correlate events with authentication logs to identify compromised service accounts attempting exploitation.

Why prioritize this

Although the CVSS score is MEDIUM (4.3) and the vulnerability requires authentication, the public availability of exploit information, combined with the critical nature of 5G core network availability, warrants prioritization for any organization operating Open5GS in production. Prioritize patching for any deployments where SBI endpoints are accessible from less-trusted segments (e.g., multi-tenant environments, federated networks). Environments with mature credential management and strong network segmentation can assign lower priority but should not defer indefinitely.

Risk score, explained

The CVSS score of 4.3 reflects the requirement for prior authentication (low privilege required) and the denial-of-service impact limited to availability (no confidentiality or integrity loss). However, the score does not fully capture the operational criticality of 5G core availability or the public exploit availability. In contexts where 5G service continuity is mission-critical, risk should be escalated; in lab or non-critical deployments, the inherent CVSS severity may be sufficient.

Frequently asked questions

Does this vulnerability allow attackers to steal subscriber data or access the network without authentication?

No. The vulnerability only causes denial of service; it does not enable data theft, confidentiality compromise, or authentication bypass. An attacker must already possess valid credentials to exploit it.

What is the difference between this vulnerability and more severe 5G core flaws?

This is a availability-focused vulnerability affecting the NF-profile parser. Unlike vulnerabilities that enable unauthorized access or data exfiltration, this one disrupts service but does not grant attacker privileges. Its MEDIUM severity reflects its limited scope, but operational impact can still be significant depending on deployment architecture.

If we run Open5GS in an isolated lab environment without external network access, is patching urgent?

Less urgent, but still recommended. Lab environments often shift to production or connect to other networks over time. Establishing a patching habit and maintaining test environments closer to production reduces deployment friction when critical updates become available.

How do we verify which version of Open5GS we are running?

Check the version in your deployment configuration files, or query the running process with `open5gs-nrfd --version` or similar commands depending on your NF type. Cross-reference with the official Open5GS release notes to confirm vulnerability applicability.

This analysis is based on vulnerability details published as of the modification date (2026-06-17) and reflects the current understanding of CVE-2026-10113. Patch version numbers, exact remediation steps, and KEV inclusion status should be verified against the official Open5GS security advisory and CISA vulnerability database before operational decisions. Network and security environments vary; organizations should adapt recommendations to their architecture and risk posture. SEC.co assumes no liability for decisions made based on this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).