CVE-2026-10113 Overview
CVE-2026-10113 is a denial-of-service vulnerability in Open5GS through version 2.7.7. The flaw resides in the Shared NF-profile Parser within the lib/sbi/nnrf-handler.c library, which handles Network Function (NF) profile data exchanged over the Service-Based Interface (SBI) in 5G core deployments. An authenticated remote attacker can manipulate input processed by this handler to trigger improper resource handling [CWE-404], causing the affected component to fail. A public exploit exists, and the maintainers have released a patch via GitHub Pull Request #4527.
Critical Impact
Remote attackers with low privileges can disrupt Open5GS 5G core network functions, affecting availability of mobile network services routed through the SBI.
Affected Products
- Open5GS versions up to and including 2.7.7
- Component: Shared NF-profile Parser (lib/sbi/nnrf-handler.c)
- 5G Service-Based Interface (SBI) consumers relying on NRF profile handling
Discovery Timeline
- 2026-05-30 - CVE-2026-10113 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-10113
Vulnerability Analysis
Open5GS is an open-source implementation of the 5G Core and EPC. The Network Repository Function (NRF) maintains profiles of available Network Functions, and other NFs query the NRF over the SBI using HTTP/2 with JSON payloads. The Shared NF-profile Parser in lib/sbi/nnrf-handler.c decodes these NF profile structures for consumption by NF service consumers.
The vulnerability is classified as Improper Resource Shutdown or Release [CWE-404]. When the parser processes a crafted NF profile, it fails to correctly manage resources tied to that profile. The condition results in a denial-of-service state in the affected process. Exploitation requires network access to the SBI and low privileges, with no user interaction.
Root Cause
The root cause is improper resource handling in the shared NF-profile parsing routine. The function does not consistently release or clean up state associated with parsed profile elements under specific input conditions. This deficiency allows attacker-influenced input to drive the parser into a state that aborts or destabilizes the consuming NF process.
Attack Vector
The attack vector is network-based across the SBI. An attacker with valid access to the SBI submits a malformed or specifically crafted NF profile representation. The Shared NF-profile Parser ingests the payload, encounters the resource-handling defect, and the affected NF terminates or becomes unresponsive. No verified exploit code is included here; refer to the GitHub Issue #4467 and Pull Request #4527 for technical specifics.
Detection Methods for CVE-2026-10113
Indicators of Compromise
- Unexpected crashes or restarts of Open5GS NF processes (AMF, SMF, AUSF, UDM) that consume NRF profiles
- Error log entries originating from lib/sbi/nnrf-handler.c referencing profile parsing failures
- Sudden loss of NF registration state or service discovery anomalies on the NRF
Detection Strategies
- Monitor Open5GS application logs for parser exceptions and abnormal process termination tied to SBI traffic.
- Inspect HTTP/2 SBI traffic for malformed NFProfile JSON structures sent to NRF consumers.
- Correlate NF restart events with inbound SBI requests from unexpected peers using flow telemetry.
Monitoring Recommendations
- Enable verbose logging on NRF and NF consumer instances to capture parser-level errors.
- Track NF availability metrics and alert on repeated short-interval restarts of core network functions.
- Restrict and audit SBI peer identities to detect unauthorized clients attempting NF profile interactions.
How to Mitigate CVE-2026-10113
Immediate Actions Required
- Apply the upstream fix from Open5GS Pull Request #4527 and upgrade beyond version 2.7.7 once released.
- Limit SBI network reachability to trusted NF peers using network segmentation and mutual TLS.
- Increase monitoring on NF processes that parse NRF profile data for crash and restart events.
Patch Information
The Open5GS maintainers addressed the issue in Pull Request #4527 against the Open5GS repository. Operators should rebuild from a patched commit or upgrade to the next stable release containing the fix. Additional vulnerability metadata is published at VulDB entry #367291.
Workarounds
- Enforce strict mTLS authentication on the SBI to prevent unauthenticated peers from submitting NF profile data.
- Apply network ACLs restricting SBI access to known NF IP addresses only.
- Deploy process supervisors that automatically restart Open5GS NF components to reduce service-impact duration while patching.
# Configuration example: restrict SBI access via iptables to known NF peers
iptables -A INPUT -p tcp --dport 7777 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
