CVE-2026-10114 Overview
CVE-2026-10114 is an out-of-bounds write vulnerability in Open5GS versions up to 2.7.7. The flaw resides in the handle_scp_info function within lib/sbi/nnrf-handler.c, part of the Shared NF-profile Parser component. An authenticated remote attacker with low privileges can trigger the condition by sending crafted input to the Service Communication Proxy handler. The issue is tracked under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). Public disclosure of exploitation details has occurred via VulDB, though no active exploitation has been reported. Open5GS is an open-source 5G Core and EPC implementation used in private mobile network deployments and research environments.
Critical Impact
Remote attackers can trigger an out-of-bounds write in the Open5GS NRF handler, potentially corrupting memory in 5G core network components.
Affected Products
- Open5GS versions up to and including 2.7.7
- lib/sbi/nnrf-handler.c Shared NF-profile Parser component
- Deployments using the Network Repository Function (NRF) with Service Communication Proxy (SCP) information handling
Discovery Timeline
- 2026-05-30 - CVE-2026-10114 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-10114
Vulnerability Analysis
The vulnerability exists in the handle_scp_info function of the Open5GS Service Based Interface (SBI) library. This function parses Service Communication Proxy (SCP) information from shared Network Function (NF) profiles exchanged through the Network Repository Function (NRF). The parser writes data outside the bounds of an allocated buffer when processing attacker-controlled input. Memory corruption in this code path affects core 5G signaling components.
Open5GS implements the 3GPP-defined NRF, which registers and discovers NF instances across the 5G core. Because the SBI subsystem handles inter-NF communication, a flaw in this parser can be reached by any peer that can submit NF profiles to the NRF.
Root Cause
The root cause is improper validation of input length or structure before writing parsed SCP information into a destination buffer. The function does not enforce boundary checks consistent with the buffer size, classified as [CWE-119]. Attacker-controlled fields in the NF profile drive the size and offset of the write, enabling memory corruption beyond the intended buffer.
Attack Vector
The attack vector is network-based and requires low privileges. An attacker who can submit or proxy NF profile registration data to the NRF endpoint can trigger the condition. The EPSS score is 0.039% with a percentile of 12.061, indicating low observed exploitation likelihood despite the public disclosure. Refer to the GitHub Issue #4468 and VulDB Vulnerability #367292 for technical specifics on the reported behavior.
Detection Methods for CVE-2026-10114
Indicators of Compromise
- Unexpected crashes, segmentation faults, or restarts of the Open5GS NRF process when handling NF registration requests
- Malformed or oversized SCP information fields observed in NF profile payloads on the SBI interface
- Anomalous NF registration attempts from unauthorized or unexpected peers within the 5G core network
Detection Strategies
- Inspect SBI HTTP/2 traffic to the NRF for NF profile payloads containing malformed scpInfo structures or oversized field values
- Monitor Open5GS process logs for parser errors, assertion failures, or abnormal terminations originating in lib/sbi/nnrf-handler.c
- Correlate NF discovery and registration events with peer authentication context to identify low-privileged senders triggering the parser
Monitoring Recommendations
- Enable verbose logging on the NRF and forward logs to a centralized SIEM for anomaly analysis
- Track crash and restart counts for Open5GS containers or services to identify repeated exploitation attempts
- Apply network segmentation telemetry to confirm only authorized NFs communicate with the NRF SBI endpoint
How to Mitigate CVE-2026-10114
Immediate Actions Required
- Identify all Open5GS deployments at version 2.7.7 or earlier and prioritize patching of the NRF service
- Restrict access to the NRF SBI endpoint using network ACLs so only trusted Network Functions can register or query profiles
- Enable mutual TLS authentication between NFs and the NRF to limit anonymous or unauthorized profile submissions
Patch Information
Review the Open5GS GitHub repository for the latest releases beyond 2.7.7 that include fixes to handle_scp_info. The upstream tracking discussion is available at GitHub Issue #4468. Rebuild and redeploy affected NRF, SCP, and supporting NF containers after applying the patch.
Workarounds
- Block or filter NF profile registrations from untrusted sources at the network layer until the patch is applied
- Deploy a reverse proxy or API gateway in front of the NRF to validate and size-limit scpInfo fields
- Disable or isolate the SCP-related profile handling functionality if it is not required by the deployment
# Restrict NRF SBI access to known NF peers
iptables -A INPUT -p tcp --dport 7777 -s <trusted_nf_subnet> -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP
# Verify Open5GS version
open5gs-nrfd -v
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
