CVE-2026-10115 Overview
CVE-2026-10115 is a denial of service vulnerability affecting Open5GS releases up to and including version 2.7.7. The flaw resides in the Shared NF-profile Parser implemented in lib/sbi/nnrf-handler.c, a core component of the 5G Service Based Interface (SBI) used by Network Repository Function (NRF) communications. An authenticated remote attacker can trigger improper resource handling that disrupts service availability. A public exploit reference exists through VulDB, and upstream maintainers have published a patch through the Open5GS GitHub repository.
Critical Impact
Remote attackers with low privileges can disrupt availability of Open5GS network functions by sending malformed NF-profile data, impacting 5G core service continuity.
Affected Products
- Open5GS versions up to and including 2.7.7
- Open5GS lib/sbi/nnrf-handler.c Shared NF-profile Parser component
- 5G Core deployments relying on Open5GS NRF handling
Discovery Timeline
- 2026-05-30 - CVE-2026-10115 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-10115
Vulnerability Analysis
The vulnerability is classified as [CWE-404] Improper Resource Shutdown or Release. It affects the Open5GS Service Based Interface library responsible for parsing shared Network Function (NF) profile data exchanged between 5G core components such as the NRF, AMF, SMF, and UPF. An attacker who can reach the SBI endpoint can submit malformed NF-profile input, causing the parser to mishandle resources and terminate or hang the affected process. This breaks NF registration and discovery flows that depend on a healthy NRF, degrading the availability of the broader 5G core.
Root Cause
The root cause is improper release of allocated resources in the shared NF-profile parsing path inside lib/sbi/nnrf-handler.c. When the parser encounters specific input patterns, it fails to clean up state correctly, leading to a denial of service condition. The defect is tracked publicly in Open5GS GitHub Issue #4469 and addressed in Pull Request #4527.
Attack Vector
The attack is network-based and requires low privileges, meaning an attacker must have some level of access to the SBI plane to send the malformed profile data. No user interaction is required. Because the SBI is typically an internal control plane in 5G deployments, exposure depends on operator network segmentation. The exploit is publicly available per VulDB, lowering the barrier to weaponization.
No verified proof-of-concept code is reproduced here. Refer to the GitHub Issue #4469 and Pull Request #4527 for technical reproduction details.
Detection Methods for CVE-2026-10115
Indicators of Compromise
- Unexpected crashes, restarts, or hangs of Open5GS NRF or other NF processes parsing shared profiles
- Abnormal SBI HTTP/2 requests directed at NRF endpoints containing malformed NF-profile payloads
- Repeated NF registration or discovery failures correlating with traffic from a specific peer
Detection Strategies
- Monitor Open5GS process logs for parser errors and abnormal termination originating from nnrf-handler.c
- Inspect SBI traffic for malformed JSON NF-profile structures sent to NRF /nnrf-nfm endpoints
- Baseline NF registration and heartbeat patterns and alert on sudden drops or restart loops
Monitoring Recommendations
- Enable verbose logging on the NRF and forward logs to a centralized SIEM for correlation
- Track process uptime and restart counts for all Open5GS NFs as availability metrics
- Apply rate limiting and anomaly detection on SBI requests originating from peer NFs
How to Mitigate CVE-2026-10115
Immediate Actions Required
- Upgrade Open5GS to a version that includes the fix merged via Pull Request #4527
- Restrict access to SBI interfaces to authenticated and authorized 5G core NFs only
- Audit network segmentation to ensure the SBI plane is not exposed to untrusted networks
Patch Information
The Open5GS maintainers have addressed the issue in the upstream repository. Operators should rebuild from a commit that includes the fix referenced in Pull Request #4527 or upgrade to a release later than 2.7.7 once available. See the Open5GS GitHub Repository for the latest source.
Workarounds
- Enforce strict mutual TLS and access control on SBI endpoints to limit which peers can send NF-profile data
- Deploy a service mesh or API gateway in front of NRF to validate NF-profile payloads before they reach the parser
- Implement process supervision to automatically restart crashed Open5GS NFs while a patched build is prepared
# Configuration example: rebuild Open5GS from a patched commit
git clone https://github.com/open5gs/open5gs.git
cd open5gs
git fetch origin pull/4527/head:fix-cve-2026-10115
git checkout fix-cve-2026-10115
meson build --prefix=`pwd`/install
ninja -C build
ninja -C build install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
