CVE-2026-10156 Overview
CVE-2026-10156 is a resource consumption vulnerability [CWE-400] in Open5GS versions up to 2.7.7. The flaw resides in the handle_amf_info function within the /lib/sbi/nnrf-handler.c library, which serves the nf-instances endpoint. An attacker with low privileges can manipulate the nf_info_pool argument over the network to trigger excessive resource consumption. The exploit has been publicly disclosed, and a patch is available. The issue is flagged as already-fixed in the upstream project.
Critical Impact
Remote attackers with low-privilege access can exhaust resources on Open5GS network function instances, degrading availability of 5G core services.
Affected Products
- Open5GS versions up to and including 2.7.7
- Component: nf-instances Endpoint
- Library: /lib/sbi/nnrf-handler.c
Discovery Timeline
- 2026-05-31 - CVE-2026-10156 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-10156
Vulnerability Analysis
The vulnerability exists in the handle_amf_info function inside Open5GS's Service-Based Interface (SBI) handler for the Network Repository Function (NRF). Open5GS is an open-source 5G Core and EPC implementation used in mobile network deployments. The nf-instances endpoint processes Network Function (NF) registration data, including AMF-specific information passed through the nf_info_pool argument.
When an authenticated remote actor manipulates the nf_info_pool argument, the handler fails to apply adequate constraints on resource allocation. This leads to uncontrolled resource consumption on the NRF process. Sustained exploitation can degrade the responsiveness of the 5G control plane, affecting NF registration, discovery, and lifecycle operations.
Root Cause
The root cause is improper control of resource allocation [CWE-400] in handle_amf_info. The function processes attacker-influenced input from the nf-instances endpoint without enforcing limits on the data structures derived from nf_info_pool. The handler trusts the input bounds supplied by registering NF clients.
Attack Vector
The attack is performed remotely over the network. The attacker requires low-privilege access, typically as a registered or authenticated NF peer that can submit data to the NRF's nf-instances endpoint. No user interaction is required. The exploit has been publicly disclosed via the project's GitHub issue tracker and VulDB.
For technical details, see GitHub Issue #4480 and the VulDB Vulnerability #367409 entry.
Detection Methods for CVE-2026-10156
Indicators of Compromise
- Sustained high memory or CPU consumption by the Open5GS NRF process without a corresponding increase in legitimate NF registrations.
- Repeated or malformed requests to the nf-instances endpoint from a single peer, particularly with abnormal nf_info_pool payload patterns.
- NRF service unresponsiveness, timeouts, or restarts during NF registration and discovery operations.
Detection Strategies
- Monitor Open5GS NRF logs for unusual frequency or size of AMF info registration requests handled by handle_amf_info.
- Deploy anomaly detection on SBI traffic to flag spikes in nf-instances POST/PUT operations from a single source.
- Correlate process-level resource metrics with SBI request rates to surface resource exhaustion attempts.
Monitoring Recommendations
- Track Open5GS process memory and file descriptor consumption with alerts on sustained growth.
- Aggregate NRF SBI access logs centrally and review for repeated registration payloads from the same NF identity.
- Baseline normal NF registration patterns to identify deviations indicative of abuse.
How to Mitigate CVE-2026-10156
Immediate Actions Required
- Upgrade Open5GS to a version newer than 2.7.7 that includes the upstream fix for the handle_amf_info resource consumption issue.
- Restrict network access to the NRF's SBI endpoints so only authorized NF peers can submit registration data.
- Audit currently registered NFs and remove any unknown or untrusted peers from the deployment.
Patch Information
The project maintainers have addressed the issue in the Open5GS repository. The VulDB entry flags the report as already-fixed. Apply the patch by updating to the latest release from the Open5GS GitHub Repository and review the discussion in GitHub Issue #4480 for commit-level details.
Workarounds
- Enforce mutual TLS authentication on SBI endpoints to limit which peers can invoke nf-instances operations.
- Apply network-layer access control lists restricting NRF reachability to the trusted 5G core management network.
- Implement rate limiting or a reverse proxy in front of the NRF to cap request volume per source.
# Configuration example: restrict NRF SBI access via iptables
iptables -A INPUT -p tcp --dport 7777 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
