Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14618

CVE-2026-14618: Open5GS AMF DoS Vulnerability

CVE-2026-14618 is a denial of service vulnerability in Open5GS AMF component affecting versions up to 2.7.7. Attackers can exploit the amf_nnrf_handle_nf_discover function remotely. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-14618 Overview

CVE-2026-14618 is a denial of service vulnerability in Open5GS versions up to and including 2.7.7. The flaw resides in the amf_nnrf_handle_nf_discover function within src/amf/nnrf-handler.c, part of the Access and Mobility Management Function (AMF) component. An authenticated remote attacker can trigger the vulnerability by manipulating NRF discovery response handling, causing the AMF process to abort. The Open5GS project has released a patch identified by commit fb5f67703de0213fb9c6e6ef3b48b6c1707e9503. Public exploit information is available, increasing the risk of opportunistic exploitation against exposed 5G core deployments.

Critical Impact

Remote attackers with low privileges can crash the Open5GS AMF component, disrupting 5G core signaling and mobility management for connected subscribers.

Affected Products

  • Open5GS versions up to and including 2.7.7
  • Open5GS AMF component (src/amf/nnrf-handler.c)
  • Deployments relying on NRF discovery through the affected AMF versions

Discovery Timeline

  • 2026-07-04 - CVE-2026-14618 published to NVD
  • 2026-07-06 - Last updated in NVD database

Technical Details for CVE-2026-14618

Vulnerability Analysis

The vulnerability is classified under [CWE-404] Improper Resource Shutdown or Release. The affected function amf_nnrf_handle_nf_discover processes Network Function (NF) discovery responses received from the Network Repository Function (NRF). During processing, the code asserts that a RAN-UE identifier falls within a valid pool range and then attempts to resolve the associated RAN-UE context.

When the transaction was created without an associated NG context, the ran_ue_id remains at OGS_INVALID_POOL_ID. The unconditional ogs_assert calls on this stale identifier abort the AMF process, terminating service for all subscribers handled by that AMF instance.

Root Cause

The root cause is an unsafe assumption that every NRF discovery transaction has an associated RAN-UE context. The original code enforced this assumption with hard asserts on ran_ue_id and the resolved ran_ue pointer. In practice, transactions can legitimately exist without a bound NG context, and the assertion failure converts a recoverable state into a process termination.

Attack Vector

Exploitation occurs over the network against an Open5GS AMF instance that processes NF discovery responses. An attacker able to influence NRF interactions or induce discovery transactions without an associated NG context can trigger the assertion path. The result is a crash of the AMF component, denying 5G mobility management services until the process is restarted.

c
                 ran_ue_id = ctx->ran_ue_id;
         }
 
-        ogs_assert(ran_ue_id >= OGS_MIN_POOL_ID &&
-                ran_ue_id <= OGS_MAX_POOL_ID);
-        ran_ue = ran_ue_find_by_id(ran_ue_id);
-        ogs_assert(ran_ue);
+        /*
+         * ran_ue_id can remain OGS_INVALID_POOL_ID if this
+         * transaction was created without an associated NG context.
+         * Resolve ran_ue only where it is actually needed below.
+         */
     } else {
         ogs_fatal("(NF discover) Not implemented [%s:%d]",
             ogs_sbi_service_type_to_name(service_type), sbi_object->type);

Source: GitHub Commit fb5f67703de. The patch removes the unconditional assertions and defers RAN-UE resolution to code paths that actually require it.

Detection Methods for CVE-2026-14618

Indicators of Compromise

  • Unexpected AMF process termination with ogs_assert failures referencing ran_ue_id or ran_ue in log output.
  • Repeated AMF service restarts correlated with inbound NRF discovery responses.
  • Sudden loss of NG signaling toward gNBs served by a specific AMF instance.

Detection Strategies

  • Monitor Open5GS AMF logs for assertion failures originating in amf_nnrf_handle_nf_discover within src/amf/nnrf-handler.c.
  • Track process supervisor events (systemd, container orchestrator) for repeated AMF crash-restart cycles.
  • Correlate NRF Service-Based Interface (SBI) traffic with AMF availability drops to isolate malicious or malformed discovery flows.

Monitoring Recommendations

  • Enable structured logging on the AMF and forward logs to a centralized analytics platform for anomaly detection.
  • Alert on NG-AP session drops or subscriber attach failures that coincide with AMF restarts.
  • Baseline NRF request/response volumes so deviations tied to discovery abuse are visible.

How to Mitigate CVE-2026-14618

Immediate Actions Required

  • Apply commit fb5f67703de0213fb9c6e6ef3b48b6c1707e9503 or upgrade to an Open5GS release that includes the fix.
  • Restrict network access to AMF SBI interfaces so only trusted NRF and 5G core functions can reach them.
  • Enable automatic restart policies for the AMF process to reduce outage duration if the crash is triggered.

Patch Information

The fix is available in the upstream Open5GS repository as commit fb5f67703de0213fb9c6e6ef3b48b6c1707e9503. The patch removes the unsafe assertions on ran_ue_id and ran_ue and documents that OGS_INVALID_POOL_ID is a legitimate state for transactions without an NG context. Operators should rebuild the AMF binary from a patched source tree or upgrade to a release containing the commit. Refer to GitHub Issue #4517 for upstream discussion.

Workarounds

  • Segment the 5G core network so untrusted peers cannot reach the AMF Service-Based Interface.
  • Enforce mutual TLS and access control lists on SBI endpoints to limit which functions can send NF discovery responses.
  • Deploy process supervision with rapid restart and health checks to minimize service disruption if the assertion is triggered.
bash
# Build Open5GS AMF from a patched source tree
git clone https://github.com/open5gs/open5gs.git
cd open5gs
git fetch origin
git cherry-pick fb5f67703de0213fb9c6e6ef3b48b6c1707e9503
meson build --prefix=`pwd`/install
ninja -C build
ninja -C build install
systemctl restart open5gs-amfd

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.