CVE-2026-7586 Overview
CVE-2026-7586 is a denial of service vulnerability in Open5GS, an open-source implementation of 5G Core and EPC functions. The flaw resides in the ogs_id_get_value function within /src/amf/nudm-handler.c, a component of the Access and Mobility Management Function (AMF). A remote attacker with low-level privileges can trigger the condition over the network, causing service disruption to the 5G core. The weakness is classified under [CWE-404] (Improper Resource Shutdown or Release). The exploit has been disclosed publicly, and the project maintainers have not yet responded to the issue report referenced in the disclosure.
Critical Impact
Remote attackers with minimal privileges can disrupt AMF availability in Open5GS deployments up to version 2.7.7, impacting 5G subscriber registration and mobility management.
Affected Products
- Open5GS versions up to and including 2.7.7
- AMF component (/src/amf/nudm-handler.c)
- Deployments using the affected ogs_id_get_value function path
Discovery Timeline
- 2026-05-01 - CVE-2026-7586 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-7586
Vulnerability Analysis
Open5GS implements core network functions for 4G LTE and 5G networks, including the AMF, which handles registration, connection, and mobility management for user equipment. The vulnerable code path lies in ogs_id_get_value, invoked from nudm-handler.c when processing responses from the Unified Data Management (UDM) network function over the Service Based Interface (SBI).
The defect maps to [CWE-404], indicating improper handling or release of a resource. When the function processes crafted or unexpected input during NUDM message handling, the AMF process enters a faulty state that disrupts service. Because the AMF is central to subscriber attach and mobility procedures, loss of availability prevents new registrations and may break ongoing sessions.
Exploitation requires network reachability to the SBI and at least low privileges within the 5G core service mesh. There is no impact to confidentiality or integrity.
Root Cause
The root cause is improper resource handling inside ogs_id_get_value when parsing identifiers received in NUDM handler flows. Malformed or missing fields are not safely released or validated, leading to an unstable state in the AMF process. The maintainers have been notified through a public issue report on the Open5GS GitHub repository but have not yet released a fix.
Attack Vector
The attack vector is network-based. An adversary that can deliver crafted SBI traffic to the AMF — for example, a compromised peer network function or a misconfigured SBI exposure — can invoke the vulnerable code path. Since a public exploit description exists, opportunistic abuse against exposed test or lab environments is plausible.
No verified proof-of-concept code is published in the referenced sources. See the GitHub Issue #4405 and VulDB Vulnerability #360536 for technical context.
Detection Methods for CVE-2026-7586
Indicators of Compromise
- Unexpected restarts or crashes of the Open5GS amf process correlated with inbound NUDM traffic
- Abnormal volume or malformed SBI HTTP/2 requests targeting AMF endpoints handling subscriber identifiers
- Spikes in failed UE registration attempts following NUDM message exchanges
Detection Strategies
- Inspect AMF logs for errors originating in nudm-handler.c and ogs_id_get_value near the time of service degradation
- Monitor SBI traffic for malformed or unexpected JSON payloads in NUDM responses, particularly around identifier fields
- Correlate AMF process termination events with peer network function activity to identify the source of malicious traffic
Monitoring Recommendations
- Enable verbose logging on the AMF and forward logs to a centralized SIEM for correlation
- Track AMF availability metrics and alert on repeated process restarts within short intervals
- Audit network policies governing SBI reachability between AMF, UDM, and adjacent network functions
How to Mitigate CVE-2026-7586
Immediate Actions Required
- Restrict SBI network access so that only trusted, authenticated network functions can reach the AMF
- Place Open5GS deployments behind a service mesh or API gateway that enforces schema validation on NUDM messages
- Treat any exposure of Open5GS 2.7.7 or earlier to untrusted networks as high risk and isolate accordingly
Patch Information
No official patch has been published at the time of CVE assignment. The project was informed through a public issue report but has not yet responded. Track the Open5GS GitHub repository and Issue #4405 for fix availability, and rebuild from source once a patched commit is merged.
Workarounds
- Apply strict input validation at an upstream proxy for NUDM message fields consumed by ogs_id_get_value
- Deploy the AMF with automatic restart supervision to limit downtime if the process terminates
- Segment 5G core network functions on dedicated VLANs or namespaces with mutual TLS authentication on SBI
- Limit privileges of peer network functions and rotate credentials used on the SBI to reduce attacker leverage
# Example: restrict AMF SBI exposure with iptables to trusted UDM peer only
iptables -A INPUT -p tcp --dport 7777 -s <trusted_udm_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
