MEDIUM 4.3

CVE-2026-10115: Open5GS NF Profile Parser DoS Vulnerability

Open5GS, an open-source 5G core network implementation, contains a flaw in how it parses network function profiles. An authenticated attacker can send a specially crafted request that causes the affected service to become unresponsive, disrupting normal operations. The vulnerability requires valid credentials to exploit and does not lead to data theft or unauthorized access—only temporary unavailability. Versions up to 2.7.7 are affected.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-404
Affected products
0 configuration(s)
Published / Modified
2026-05-30 / 2026-06-17

NVD description (verbatim)

A vulnerability was identified in Open5GS up to 2.7.7. This affects an unknown part in the library lib/sbi/nnrf-handler.c of the component Shared NF-profile Parser. Such manipulation leads to denial of service. The attack can be launched remotely. The exploit is publicly available and might be used. It is advisable to implement a patch to correct this issue.

10 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10115 is an input validation weakness (CWE-404: Improper Resource Validation) located in the Shared NF-profile Parser component within lib/sbi/nnrf-handler.c. The flaw permits an authenticated remote attacker to manipulate NF profile data in a way that triggers a denial of service condition. The attack surface is the NNRF (NF Repository Function) handler, which processes profile information from other network functions. No authentication bypass is required; the attacker must already possess valid credentials to the Open5GS SBI (Service Based Interface) endpoints. The resulting impact is service unavailability rather than data compromise.

Business impact

For operators deploying Open5GS in production or pre-commercial 5G environments, this vulnerability enables a privileged insider or compromised administrative account to disrupt core network services. An attacker with valid tenant or service credentials can trigger repeated DoS events, causing call setup failures, session management disruptions, and user-facing service outages. In environments where Open5GS acts as a critical routing or subscriber management component, sustained exploitation could require manual intervention and service restarts, increasing operational overhead and downtime costs.

Affected systems

Open5GS versions up to and including 2.7.7 are vulnerable. This includes all minor and patch releases prior to 2.7.7. Any deployment running Open5GS as a 5G core network function is at risk if it has not been updated past the affected range. Check your Open5GS version via CLI tools or administrative interfaces to determine exposure. Verify the exact patched version against the official Open5GS release notes.

Exploitability

Exploitation requires valid authentication credentials to the SBI endpoints—a meaningful barrier that eliminates opportunistic internet-wide attacks. Public exploit code exists, lowering the technical bar for attackers with legitimate access. However, the attack vector (network-based, low complexity, low privileges required for authenticated users) means that compromise of any service account or insider misuse could trigger the vulnerability. The MEDIUM CVSS score (4.3) reflects the authentication requirement tempering the impact; without valid credentials, the attack cannot proceed.

Remediation

Upgrade Open5GS to a patched version beyond 2.7.7. Verify the availability and stability of the patched release against your operational requirements before deployment. Additionally, implement network segmentation to restrict SBI endpoint access to trusted network functions only, reducing the population of accounts capable of triggering this issue. Review and audit which internal services and operators hold credentials to the NNRF component.

Patch guidance

Obtain the latest stable release of Open5GS from the official repository and review the release notes to confirm the patch addresses CVE-2026-10115. Plan a maintenance window for your 5G core deployment, as service restart is typically required during upgrades. Test the patched version in a pre-production environment that mirrors your architecture, particularly validating NF profile queries and repository operations. Once validated, schedule a controlled rollout to production, monitoring NNRF handler logs for any anomalies during and after the update.

Detection guidance

Monitor Open5GS NNRF handler logs for repeated errors or exceptions when processing NF profile updates from specific sources. Baseline normal profile query patterns and alert on anomalies in request volume or malformed profile data. Network-level detection can track SBI communication for unexpected profile manipulation attempts. Implement rate limiting on NF profile update endpoints to mitigate rapid DoS attempts. Consider deploying a 5G network security monitoring solution that understands SBI protocol semantics to detect exploitation patterns.

Why prioritize this

Although assigned a MEDIUM severity, this vulnerability warrants prompt attention because: (1) public exploit code exists, reducing barriers for insiders or attackers with compromised credentials; (2) 5G core network disruptions directly impact subscriber connectivity and operator revenue; (3) authentication requirement is not a strong control in multi-tenant or federated environments where service-to-service credentials are widely distributed; (4) the impact, while DoS-only, affects availability—a critical operational pillar. Prioritize patching in environments with high-privilege credential distribution or untrusted internal networks.

Risk score, explained

The CVSS 3.1 score of 4.3 (MEDIUM) reflects a network-accessible, low-complexity attack requiring valid authentication, leading only to denial of service. The lack of confidentiality or integrity impact and the authentication barrier prevent a higher score. However, contextual risk is elevated in 5G deployments where service availability is mission-critical and credential compromise is plausible. Organizations should treat this as higher-priority than the CVSS alone suggests in production environments.

Frequently asked questions

Can an unauthenticated attacker exploit this vulnerability?

No. The attack requires valid credentials to access Open5GS SBI endpoints. An unauthenticated external attacker cannot trigger the vulnerability. Risk is limited to scenarios involving compromised accounts, insider threats, or service-to-service credential leakage.

What does 'Shared NF-profile Parser' mean, and why is it a concern?

The NF (Network Function) profile parser handles metadata about network functions participating in the 5G core. This metadata controls routing, service discovery, and session management. A flaw here can disrupt core functions' ability to communicate, propagating outages across the network.

Is there a workaround if I cannot patch immediately?

Implement strict network access controls limiting SBI endpoint exposure to known, trusted network functions only. Enforce rate limiting on profile update operations and monitor logs for suspicious patterns. These measures reduce risk but do not eliminate it; patching remains necessary for complete remediation.

What is CWE-404, and how does it relate to this bug?

CWE-404 (Improper Resource Validation) means the code fails to properly check or validate the input data structure before processing it. In this case, the NF profile data is not sufficiently validated, allowing malformed or malicious profiles to cause a crash or hang in the parser.

This analysis is based on publicly disclosed vulnerability information as of the publication date. Patch availability, affected versions, and vendor guidance are subject to change; verify all details against official Open5GS release notes and security advisories before making deployment decisions. No exploit code or weaponized proof-of-concepts are provided. SEC.co makes no warranty regarding the completeness or accuracy of this advisory and recommends independent verification by qualified security and network engineering staff prior to operational changes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).