CVE-2026-7583 Overview
CVE-2026-7583 is a denial-of-service vulnerability in Open5GS, an open-source implementation of 5G Core and EPC functions. The flaw resides in the bsf_sess_find_by_ipv6prefix function within /src/bsf/context.c of the Binding Support Function (BSF) component. Manipulation of the ipv6Prefix argument triggers the condition and disrupts service availability. The issue affects Open5GS releases up to and including version 2.7.7. An attacker can initiate the attack remotely with low-privileged access. The exploit has been published, and the project has not yet responded to the issue report. The weakness is classified under [CWE-404] (Improper Resource Shutdown or Release).
Critical Impact
Remote attackers with low-privileged network access can cause the BSF component of Open5GS 5G core deployments to enter a denial-of-service state, disrupting policy and charging session bindings.
Affected Products
- Open5GS versions up to 2.7.7
- Binding Support Function (BSF) component
- Deployments using IPv6 session binding via bsf_sess_find_by_ipv6prefix
Discovery Timeline
- 2026-05-01 - CVE-2026-7583 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-7583
Vulnerability Analysis
The vulnerability resides in the BSF component of Open5GS, which handles binding between user equipment sessions and policy/charging functions in a 5G core. The function bsf_sess_find_by_ipv6prefix in /src/bsf/context.c processes the ipv6Prefix argument supplied through Service-Based Interface requests. Improper resource shutdown or release [CWE-404] during this lookup leads to a condition that exhausts or fails to free resources, terminating service availability for the BSF.
Because BSF mediates session binding for Policy Control Function (PCF) selection, a downed BSF disrupts policy decisions across affected user sessions. The attacker requires authenticated access at a low privilege level on the network plane, but no user interaction is needed. Exploitation does not affect confidentiality or integrity, only availability.
Root Cause
The root cause is improper handling of the ipv6Prefix parameter inside bsf_sess_find_by_ipv6prefix. The function does not enforce sufficient validation or release semantics when the input is malformed or crafted to trigger the failure path. This leads to resource mismanagement consistent with [CWE-404].
Attack Vector
An attacker reaches the BSF over the network and submits a crafted request containing a malicious ipv6Prefix value. Repeated submission of such requests triggers the denial-of-service condition. The attack requires low-privileged authenticated access but no user interaction. Public exploit details are referenced in VulDB Vulnerability #360530 and GitHub Issue #4401.
No verified proof-of-concept code is reproduced here. Refer to the upstream issue tracker for technical reproduction details.
Detection Methods for CVE-2026-7583
Indicators of Compromise
- Unexpected restarts or crashes of the Open5GS BSF process
- Failed or stalled session binding lookups in BSF logs referencing bsf_sess_find_by_ipv6prefix
- Anomalous Service-Based Interface requests carrying malformed ipv6Prefix values
Detection Strategies
- Monitor BSF service health and restart counters in your 5G core orchestration platform
- Inspect HTTP/2 traffic on the Nbsf interface for malformed or oversized ipv6Prefix parameters
- Correlate BSF crashes with preceding API requests to identify malicious clients
Monitoring Recommendations
- Enable verbose logging on the BSF component and forward logs to a centralized analytics platform
- Track availability metrics and alert on BSF unavailability exceeding defined thresholds
- Baseline normal Nbsf request patterns to detect anomalous request bursts
How to Mitigate CVE-2026-7583
Immediate Actions Required
- Restrict network access to the BSF Nbsf interface to trusted Network Functions only
- Apply strict authentication and access control on Service-Based Interface endpoints
- Monitor the Open5GS GitHub repository for an upstream patch
Patch Information
No official vendor patch is available at the time of publication. The project was notified via GitHub Issue #4401 but has not yet responded. Track the issue and the Open5GS project for fix availability and upgrade once a patched release is published.
Workarounds
- Deploy a reverse proxy or service mesh policy that validates ipv6Prefix parameter format before forwarding to BSF
- Rate-limit requests to the BSF Nbsf interface to slow exploitation attempts
- Run BSF behind a process supervisor configured to restart the service automatically on failure
# Example: restrict BSF Nbsf access via iptables to trusted PCF/SMF subnets
iptables -A INPUT -p tcp --dport 7777 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
