MEDIUM 4.3

CVE-2026-10156: Open5GS Resource Exhaustion Vulnerability in nf-instances Endpoint

Open5GS, a popular open-source 5G core network implementation, contains a denial-of-service vulnerability in versions up to 2.7.7. An authenticated attacker can manipulate how the system manages network function instance information, causing the application to consume excessive resources and become unresponsive. The vulnerability has been publicly disclosed, but a patch is already available. This is a moderate-severity issue requiring prioritization for 5G infrastructure operators and anyone running affected Open5GS deployments.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-400, CWE-404
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A vulnerability was determined in Open5GS up to 2.7.7. This affects the function handle_amf_info in the library /lib/sbi/nnrf-handler.c of the component nf-instances Endpoint. Executing a manipulation of the argument nf_info_pool can lead to resource consumption. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. Applying a patch is advised to resolve this issue. The issue report is flagged as already-fixed.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10156 exists in the handle_amf_info function within the nf-instances endpoint of Open5GS's SBI (Service-Based Interface) handler. The vulnerability stems from improper handling of the nf_info_pool argument, allowing an authenticated attacker to manipulate resource allocation and trigger uncontrolled resource consumption. The issue maps to CWE-400 (Uncontrolled Resource Consumption) and CWE-404 (Improper Resource Validation), indicating a failure to properly validate and limit resource usage during processing of network function information updates. The attack requires network access and valid credentials but does not require user interaction.

Business impact

For 5G network operators and service providers running Open5GS, this vulnerability enables a denial-of-service condition that could disrupt signaling traffic or control plane operations. An authenticated insider or compromised service account could exhaust memory or processing capacity, degrading service availability. In production 5G environments, such disruptions directly impact call setup, mobility management, and session establishment. Even though the CVSS score is moderate (4.3), the operational context of core network infrastructure means availability impact must be treated as business-critical.

Affected systems

Open5GS versions up to and including 2.7.7 are affected. The vulnerability exists in the nf-instances endpoint, which handles network function instance registration and discovery within the 5G Service-Based Architecture. Any deployment of Open5GS in that version range—whether as an AMF (Access and Mobility Function), UPF (User Plane Function), or other NF role—should be considered at risk if exposed to authenticated attackers or internal threats.

Exploitability

The vulnerability requires valid authentication credentials, meaning an attacker must first gain legitimate access to the 5G network or possess valid service credentials. The attack is network-accessible and straightforward to trigger once authenticated, involving manipulation of standard API arguments. Public disclosure has occurred, lowering the barrier to exploitation. However, the authentication requirement provides a meaningful control—this is not an unauthenticated remote code execution or network-wide worm vector. Internal threats, compromised service accounts, or attackers with roaming subscriber credentials pose the primary risk.

Remediation

Upgrade Open5GS to a version newer than 2.7.7. The issue is flagged as already-fixed in the vendor advisory, meaning a patched release has been published. Identify your current Open5GS version, verify the patch availability for your deployment model (container, package, or source build), and plan a controlled upgrade to minimize service disruption. If immediate patching is not possible, implement network segmentation to restrict access to the nf-instances endpoint to trusted service networks only.

Patch guidance

Consult the official Open5GS release notes and GitHub repository to identify the specific version that contains the fix for CVE-2026-10156. Verify the patch is available for your deployment architecture (Docker images, Debian/RPM packages, or compiled from source). Plan the upgrade carefully—5G control plane components typically require graceful shutdown and inter-node coordination. Test the patched version in a non-production environment first, ensuring that nf-instances registration and queries function correctly post-upgrade. If running Open5GS in a containerized environment, update your container images and redeploy with the patched version.

Detection guidance

Monitor logs from the nf-instances endpoint for unusual patterns in network function registration or info-pool manipulation requests. Look for repeated or abnormal updates to the nf_info_pool parameter, particularly from low-privilege service accounts or unexpected network ranges. Track memory and CPU usage of the Open5GS process—a spike coinciding with API activity targeting this endpoint may indicate exploitation. Implement alerting on failed or rejected nf-instances API requests, which might reveal reconnaissance or repeated attack attempts. Network-level detection should flag authenticated sessions making high-frequency or large-payload requests to this specific SBI endpoint.

Why prioritize this

Although the CVSS score is moderate (4.3), prioritize this vulnerability because it affects critical 5G core network infrastructure. Availability of the control plane directly impacts service continuity. Public disclosure combined with a relatively simple exploitation pattern (authenticated resource exhaustion) increases risk in environments where service credentials may have been compromised or are held by contractors. The fix is already available, making remediation a straightforward operational task with high return on investment.

Risk score, explained

CVSS 3.1 score of 4.3 (Medium) reflects the attack complexity: network-accessible but requiring authentication, leading to availability impact only (no confidentiality or integrity compromise). The score appropriately captures the limited blast radius. However, in the context of 5G infrastructure, availability loss carries outsized operational significance. Organizations should elevate this above generic medium-priority queues when it affects production 5G deployments.

Frequently asked questions

Does this vulnerability allow remote code execution or data theft?

No. CVE-2026-10156 is limited to denial-of-service via resource exhaustion. An attacker cannot execute arbitrary code, steal subscriber data, or modify network traffic. The impact is restricted to availability—making the system unresponsive or slow.

Do I need to be authenticated to exploit this?

Yes. The vulnerability requires valid authentication credentials (service-to-service SBI authorization or administrative access). This significantly narrows the attack surface compared to unauthenticated vulnerabilities, but insider threats and compromised service accounts remain a concern.

What should I do if I cannot patch immediately?

Implement network-level segmentation to restrict access to the nf-instances endpoint to only trusted internal service networks. Disable or restrict SBI access from untrusted domains if your topology allows it. Monitor logs closely for anomalies, and prioritize patching within your next maintenance window. The vulnerability is actively exploitable given public disclosure, so avoid leaving systems exposed for extended periods.

Is this in the KEV (Known Exploited Vulnerabilities) catalog?

No, this vulnerability is not currently tracked in the CISA KEV catalog. However, public disclosure has occurred, so treat it as potentially exploitable in the wild. Do not use the absence from KEV as justification for delaying remediation.

This analysis is based on publicly available vulnerability data as of the publication date. Security posture and risk tolerance vary by organization. Patch availability and compatibility should be verified directly with Open5GS maintainers before deployment. This document does not constitute legal advice or a guarantee of protection. Organizations should conduct their own risk assessment aligned with their threat model, regulatory requirements, and network architecture. No exploit code, proof-of-concept, or detailed attack instructions are provided herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).