CVE-2026-7535: Open5GS Denial of Service Vulnerability

CVE-2026-7535 Overview

CVE-2026-7535 affects Open5GS versions up to 2.7.7, an open-source implementation of 5G Core and EPC functions. The vulnerability resides in the amf_namf_comm_handle_registration_status_update_request function within /lib/app/ogs-init.c, which processes requests to the /namf-comm/v1/ue-contexts/{ueContextId}/transfer-update endpoint. Manipulation of the ueContextId argument triggers a denial of service condition. Remote attackers can initiate the attack with low privileges and no user interaction. A public exploit exists, and the maintainers have not responded to the issue report at the time of disclosure. The weakness maps to [CWE-404: Improper Resource Shutdown or Release].

Critical Impact

Remote attackers can disrupt the Access and Mobility Management Function (AMF) of Open5GS deployments by submitting crafted ueContextId values, impacting 5G core service availability.

Affected Products

• Open5GS versions up to and including 2.7.7
• Open5GS AMF (Access and Mobility Management Function) component
• Deployments exposing the namf-comm service-based interface

Discovery Timeline

• 2026-05-01 - CVE-2026-7535 published to NVD
• 2026-05-01 - Last updated in NVD database

Technical Details for CVE-2026-7535

Vulnerability Analysis

The flaw resides in how Open5GS handles registration status update requests on the Namf_Communication service-based interface defined by 3GPP. When the AMF processes the transfer-update operation, the amf_namf_comm_handle_registration_status_update_request function fails to properly validate or release resources tied to the supplied ueContextId path parameter. A crafted value causes the AMF process to terminate or hang, interrupting User Equipment (UE) registration handling across the 5G core.

Because the AMF is the central control-plane element for UE registration, mobility, and connection management, an outage propagates to all subscribers serviced by the affected instance. Although the request requires authenticated access at the service-mesh level, only low privileges are necessary. The public availability of exploit details lowers the barrier for opportunistic abuse against operator labs, private 5G deployments, and research environments.

Root Cause

The root cause is improper resource shutdown or release [CWE-404] in the AMF's Namf_Communication handler. Input validation on ueContextId is insufficient, allowing malformed identifiers to drive the handler into an error path that does not cleanly release allocated resources or recover the request context.

Attack Vector

The attack is network-based. An attacker with low-privileged access to the 5G service-based architecture (SBA) sends a crafted HTTP/2 request to /namf-comm/v1/ue-contexts/{ueContextId}/transfer-update with a manipulated ueContextId. No user interaction is required. The result is loss of AMF availability, classified as a denial of service condition.

No verified exploit code is reproduced here. Refer to the Open5GS Issue #4399 and VulDB Vulnerability #360352 for technical details on the public proof of concept.

Detection Methods for CVE-2026-7535

Indicators of Compromise

• Unexpected restarts or crashes of the Open5GS open5gs-amfd process correlated with inbound Namf_Communication traffic.
• HTTP/2 requests to /namf-comm/v1/ue-contexts/{ueContextId}/transfer-update containing malformed, oversized, or non-conforming ueContextId values.
• Spikes in failed UE registration updates and corresponding session anomalies in core network logs.

Detection Strategies

• Inspect AMF service logs for handler errors originating in amf_namf_comm_handle_registration_status_update_request immediately preceding process termination.
• Deploy SBA-aware traffic inspection to flag requests where the ueContextId deviates from the expected 3GPP format defined in TS 29.518.
• Correlate AMF availability metrics with NF (Network Function) request patterns to identify single-source DoS attempts.

Monitoring Recommendations

• Alert on repeated transfer-update requests from the same NF consumer within short time windows.
• Track AMF process uptime, memory growth, and restart counts as availability health signals.
• Forward Open5GS logs and SBA telemetry into a centralized data lake for correlation and historical analysis.

How to Mitigate CVE-2026-7535

Immediate Actions Required

• Restrict access to the Namf_Communication interface so that only authorized 5G Network Functions can reach the AMF.
• Apply strict input validation or a reverse proxy filter that rejects malformed ueContextId values before they reach Open5GS.
• Monitor the Open5GS GitHub repository for an official fix and apply it as soon as it is published.

Patch Information

At the time of publication, the Open5GS project has not released a patch for CVE-2026-7535. The issue was reported through Open5GS Issue #4399 but had not received a vendor response. Operators should track the upstream repository and the VulDB CTI for #360352 entry for fix availability.

Workarounds

• Place the AMF behind a Service Communication Proxy (SCP) or API gateway that enforces schema validation on ueContextId.
• Apply mutual TLS and strong NF authentication on the SBA to limit which peers can invoke the affected endpoint.
• Rate-limit transfer-update requests per consumer NF to reduce exposure to repeated DoS attempts.
• Run AMF instances under a process supervisor that restarts the service automatically and deploy redundant AMFs to maintain availability.

# Example nginx-style request filter to reject malformed ueContextId values
# (Adapt to your SCP, API gateway, or service mesh policy engine)
location ~ ^/namf-comm/v1/ue-contexts/(?<uectx>[^/]+)/transfer-update$ {
    if ($uectx !~ "^[A-Za-z0-9_-]{1,64}$") {
        return 400;
    }
    proxy_pass http://open5gs_amf_upstream;
}