CVE-2026-30075 Overview
CVE-2026-30075 is a Buffer Overflow vulnerability affecting OpenAirInterface Version 2.2.0. The vulnerability exists in the processing of UplinkNASTransport messages containing Authentication Response with an oversized NAS PDU (for example, 100 bytes). When this malformed response is decoded by the AMF (Access and Mobility Management Function) and passed to the AUSF (Authentication Server Function) component for verification, the AUSF crashes upon receiving the oversized response. This can prohibit users from further registration and verification, leading to Denial of Service (DoS) conditions.
Critical Impact
Attackers can crash the AUSF component in 5G core networks, disrupting user authentication and registration services, causing network-wide Denial of Service.
Affected Products
- OpenAirInterface Version 2.2.0
- OAI-CN5G-AUSF component
- 5G Core Network deployments using OpenAirInterface
Discovery Timeline
- April 8, 2026 - CVE-2026-30075 published to NVD
- April 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-30075
Vulnerability Analysis
This vulnerability is classified as CWE-120 (Buffer Copy without Checking Size of Input), commonly known as a classic buffer overflow. The flaw resides in how the AUSF component handles Authentication Response messages within the UplinkNASTransport procedure.
In 5G networks, the AUSF is a critical component responsible for authentication services. When a User Equipment (UE) sends an Authentication Response as part of the 5G-AKA (Authentication and Key Agreement) procedure, the AMF forwards this response to the AUSF for verification. The vulnerability is triggered when the NAS PDU within the Authentication Response exceeds expected boundaries—the AUSF fails to properly validate the size of incoming authentication response data before processing.
The attack can be performed over the network without requiring authentication or user interaction, making it particularly dangerous for exposed 5G core network deployments.
Root Cause
The root cause is insufficient input validation in the AUSF component when processing NAS PDU payloads. The code responsible for handling Authentication Response messages does not properly check the size of the incoming response buffer before attempting to process it. When an oversized response (e.g., 100 bytes instead of the expected size) is received, the buffer overflow condition causes the AUSF process to crash.
This is a classic example of CWE-120 where data is copied into a fixed-size buffer without first verifying that the source data fits within the destination buffer's bounds.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can craft a malicious UplinkNASTransport message containing an Authentication Response with an oversized NAS PDU. When this message traverses through the AMF to the AUSF component, it triggers the buffer overflow condition.
The vulnerability can be exploited by sending specially crafted 5G NAS messages to the network. For detailed technical discussion of this vulnerability, refer to the GitLab Issue Discussion on the OpenAirInterface project.
Detection Methods for CVE-2026-30075
Indicators of Compromise
- Unexpected AUSF process crashes or restarts in 5G core network logs
- Authentication failures across multiple User Equipment simultaneously
- Abnormally large NAS PDU sizes in UplinkNASTransport messages (e.g., exceeding 50 bytes for Authentication Response)
- Repeated registration failures following AUSF service interruptions
Detection Strategies
- Monitor AUSF component logs for crash events or segmentation faults
- Implement network traffic analysis to detect oversized Authentication Response messages in UplinkNASTransport
- Configure alerting on AUSF service availability and unexpected restarts
- Deploy intrusion detection rules to flag NAS PDU payloads exceeding normal size thresholds
Monitoring Recommendations
- Establish baseline metrics for AUSF component uptime and response times
- Implement continuous monitoring of 5G core network component health
- Enable verbose logging on AMF and AUSF components to capture malformed message details
- Configure automated alerts for authentication service degradation patterns
How to Mitigate CVE-2026-30075
Immediate Actions Required
- Review OpenAirInterface deployment and identify if running vulnerable version 2.2.0
- Monitor AUSF component for signs of exploitation attempts
- Consider implementing network segmentation to restrict access to 5G core components
- Check the GitLab Issues Overview for updated patch information
Patch Information
Organizations should monitor the OpenAirInterface GitLab repository for official patches addressing this vulnerability. The issue has been tracked in the GitLab Issue Discussion where developers may provide fix details. Until an official patch is released, implementing compensating controls is recommended.
Workarounds
- Implement input validation at the network perimeter to filter oversized NAS PDU messages
- Deploy rate limiting on authentication requests to minimize impact of exploitation attempts
- Consider deploying AUSF in a redundant configuration to maintain service availability during crashes
- Restrict network access to 5G core components using firewall rules and network segmentation
# Example: Monitor AUSF process for crashes
# Add to monitoring system configuration
journalctl -u oai-ausf -f --since "1 hour ago" | grep -i "crash\|segfault\|killed"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
