CVE-2026-7518 Overview
CVE-2026-7518 affects Open5GS versions up to 2.7.7, an open-source implementation of 5G Core and EPC components. The flaw resides in the amf_namf_callback_handle_sdm_data_change_notify function within /namf-callback/v1/{id}/sdmsubscription-notify, part of the Access and Mobility Management Function (AMF) Service-Based Interface (SBI) Endpoint. Manipulation of the changeItem.newValue argument triggers improper resource handling [CWE-404] that leads to denial of service. The attack is initiated remotely and requires low privileges with no user interaction. A proof-of-concept exploit has been published, and the project maintainers have not responded to the issue report at the time of disclosure.
Critical Impact
Remote attackers with low-level access can crash or degrade the Open5GS AMF component, disrupting 5G core network signaling and mobility management services.
Affected Products
- Open5GS versions up to and including 2.7.7
- AMF SBI Endpoint component
- amf_namf_callback_handle_sdm_data_change_notify callback handler
Discovery Timeline
- 2026-05-01 - CVE-2026-7518 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-7518
Vulnerability Analysis
The vulnerability resides in the AMF callback handler that processes Subscriber Data Management (SDM) data change notifications. When the AMF receives a notification at /namf-callback/v1/{id}/sdmsubscription-notify, the function amf_namf_callback_handle_sdm_data_change_notify parses the changeItem.newValue field from the request body. Improper resource release or unhandled state transitions during this processing causes the AMF process to terminate or stop servicing legitimate signaling traffic.
Because the AMF is a central element in 5G Core architecture, disruption of this Network Function affects User Equipment (UE) registration, mobility management, and session establishment for all subscribers attached to the affected core.
Root Cause
The issue is categorized under [CWE-404] Improper Resource Shutdown or Release. The callback handler does not correctly manage allocated resources or handle malformed changeItem.newValue input during the SDM notification flow, leading to resource state corruption and a denial of service condition.
Attack Vector
The attack is network-based and requires low privileges. An attacker with the ability to send requests to the AMF SBI endpoint can craft a malicious sdmsubscription-notify callback containing a manipulated changeItem.newValue field. The exploit has been published publicly. In typical 5G core deployments, SBI endpoints should be reachable only from trusted Network Functions, but misconfigured or exposed deployments increase the attack surface.
The vulnerability mechanism is documented in the GitHub Issue #4395 and tracked under VulDB Vulnerability #360332. No verified exploitation code is reproduced here; refer to the upstream Open5GS Repository for source-level details.
Detection Methods for CVE-2026-7518
Indicators of Compromise
- Unexpected AMF process termination or restarts in Open5GS service logs.
- HTTP/2 POST requests to /namf-callback/v1/{id}/sdmsubscription-notify from unauthorized or unexpected source addresses.
- Malformed JSON payloads containing anomalous changeItem.newValue field structures in AMF request logs.
- Sudden drops in UE registration success rates or N1/N2 signaling failures correlated with SBI traffic spikes.
Detection Strategies
- Inspect AMF SBI HTTP/2 traffic for requests targeting the sdmsubscription-notify callback path with malformed notification bodies.
- Correlate AMF crashes or systemd restart events with preceding inbound SBI requests to identify exploitation attempts.
- Apply schema validation against incoming SdmSubscription notification payloads to flag deviations from 3GPP TS 29.503 specifications.
Monitoring Recommendations
- Monitor AMF process uptime, memory usage, and crash counters via service health probes.
- Log and alert on all namf-callback requests originating outside the expected UDM Network Function address range.
- Track 5G control plane metrics including registration request failures and PDU session establishment errors.
How to Mitigate CVE-2026-7518
Immediate Actions Required
- Restrict network access to the AMF SBI endpoint so that only authorized 5G Network Functions on the trusted Service-Based Architecture network can reach it.
- Deploy an API gateway or service mesh in front of Open5GS Network Functions to enforce authentication, authorization, and payload validation.
- Monitor the Open5GS GitHub repository for an upstream fix and apply it once released.
Patch Information
No official patch is available at the time of publication. The maintainers have been notified through GitHub Issue #4395 but have not responded. Operators running Open5GS 2.7.7 or earlier should track the issue and the VulDB submission for remediation updates.
Workarounds
- Apply firewall rules or network policies to block external access to the /namf-callback/v1/ path on the AMF SBI listener.
- Place a reverse proxy that performs JSON schema validation on sdmsubscription-notify requests before they reach the AMF.
- Implement rate limiting on AMF SBI endpoints to reduce the impact of repeated exploitation attempts.
- Run Open5GS components with process supervision configured to automatically restart failed Network Functions and minimize service disruption.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
