MEDIUM 4.3

CVE-2026-10114: Open5GS Out-of-Bounds Write in NF Profile Parser

Open5GS versions up to 2.7.7 contain a flaw in how they parse shared NF profile information. When processing certain malformed input, the application writes data beyond the intended memory boundary, potentially crashing the service. While an attacker must have valid network credentials to exploit this, the vulnerability has been publicly disclosed, increasing the likelihood it will be weaponized.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-119, CWE-787
Affected products
0 configuration(s)
Published / Modified
2026-05-30 / 2026-06-17

NVD description (verbatim)

A vulnerability was determined in Open5GS up to 2.7.7. Affected by this issue is the function handle_scp_info in the library lib/sbi/nnrf-handler.c of the component Shared NF-profile Parser. This manipulation causes out-of-bounds write. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. To fix this issue, it is recommended to deploy a patch.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10114 is an out-of-bounds write vulnerability in the handle_scp_info function within lib/sbi/nnrf-handler.c of Open5GS. The Shared NF-profile Parser component fails to validate buffer boundaries when processing network function profile data received over the network. This results in memory corruption that can be triggered by an authenticated attacker with network access. The vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-787 (Out-of-bounds Write).

Business impact

For telecom operators and enterprises deploying Open5GS, this vulnerability threatens service availability. A successful exploit causes denial of service by crashing the NF profile handling subsystem, potentially disrupting 5G network slicing and service registration workflows. Since the attack requires valid credentials, the risk is primarily from internal compromise, rogue infrastructure elements, or lateral movement within the network. Recovery requires service restart, impacting active subscribers and business continuity.

Affected systems

Open5GS up to version 2.7.7 is affected. Operators must verify their deployed version and determine if they operate the impacted component (Shared NF-profile Parser in the SBI layer). The vulnerability is remotely triggerable but requires authenticated access, limiting exposure to threat actors with network foothold within the telecom infrastructure or those who have compromised legitimate network credentials.

Exploitability

The exploit has been publicly disclosed, removing the complexity barrier for potential attackers. Exploitation requires network connectivity to the affected Open5GS instance and valid credentials (PR:L in CVSS vector). No user interaction is needed, and the attack can be executed remotely. The CVSS 3.1 score of 4.3 (Medium) reflects low confidentiality and integrity impact, but the public disclosure elevates practical risk despite the moderate base score.

Remediation

Deploy a patched version of Open5GS beyond 2.7.7 as recommended by the project maintainers. Verify the exact patch version number against the official Open5GS release notes and security advisories. In the interim, restrict network access to Open5GS management and SBI interfaces using firewall rules and VLANs to limit exposure to trusted infrastructure elements only.

Patch guidance

Apply the latest Open5GS patch that addresses CVE-2026-10114—verify against the official Open5GS security advisory and release notes for the specific version number. Test the patch in a pre-production environment to ensure compatibility with your network slicing configuration and connected NFs. Schedule the update during a maintenance window with rollback procedures in place. Document the patched version across all Open5GS deployments to maintain consistency.

Detection guidance

Monitor Open5GS logs and core dumps for segmentation faults or abnormal termination of the SBI handler process. Inspect network traffic to the NF-profile registration endpoint for malformed or oversized profile objects that could trigger the buffer overflow. Implement runtime memory protection tools (e.g., ASAN, valgrind) in staging environments to detect out-of-bounds writes during testing. Alert on unexpected service restarts or crashes in the NF discovery and registration subsystem.

Why prioritize this

Although the CVSS score is moderate (4.3), the combination of public exploit disclosure, denial-of-service impact, and the critical role of NF profile handling in 5G infrastructure justifies prompt patching. Telecom operators should prioritize this update to prevent opportunistic attacks from actors who now have exploitation techniques in hand.

Risk score, explained

CVSS 3.1 score of 4.3 (Medium) reflects the requirement for authenticated access (PR:L) and network proximity, which limits the attack surface. However, the score does not fully capture the public disclosure and availability of exploit code, which substantially increases practical risk. The out-of-bounds write causes only availability impact (A:L), not confidentiality or integrity violations, keeping the severity moderate rather than high.

Frequently asked questions

Do we need valid 5G credentials to exploit this, or is it fully remote?

The vulnerability is remotely accessible over the network, but the CVSS vector shows it requires PR:L (low privilege authentication). This typically means valid credentials—either legitimate network function credentials or those obtained through prior compromise. It is not an unauthenticated remote exploit.

Will this vulnerability be added to the KEV catalog?

Currently, this vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. However, given the public disclosure of the exploit, monitoring for its future inclusion is recommended. Treat it with the urgency of a KEV candidate due to the public POC.

What versions of Open5GS should we upgrade to?

The advisory states versions up to 2.7.7 are affected. Consult the official Open5GS release notes to identify the first patched version that addresses this issue, and verify the patch release number before upgrading. Never assume a specific version without checking the vendor advisory.

Can this vulnerability be exploited through a supply chain attack on our telecom vendors?

While the vulnerability requires network access and credentials, a compromised vendor element connected to your SBI network could exploit it. Ensure all trusted network peers (vendor equipment, external SPs) are also updated and that mutual TLS and credential rotation practices are in place.

This analysis is based on information available as of June 2026. Verify all patch versions and CVSS scores against the official Open5GS project advisories and NVD records before making remediation decisions. SEC.co provides this information for informational purposes; organizations must conduct their own risk assessment and testing. No guarantee is made regarding exploit weaponization timelines or the exact impact in your specific deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).