CVE-2026-7587 Overview
CVE-2026-7587 is a denial of service vulnerability in Open5GS through version 2.7.7. The flaw resides in the amf_nsmf_pdusession_handle_update_sm_context function within /src/amf/nsmf-handler.c, a component of the Access and Mobility Management Function (AMF). An authenticated remote attacker can manipulate inputs to this handler to disrupt service availability. The exploit details have been disclosed publicly. The Open5GS project was notified through an issue report but has not responded at the time of disclosure. This vulnerability is classified under [CWE-404] (Improper Resource Shutdown or Release), indicating mishandling of resource lifecycles within the AMF session management context.
Critical Impact
Remote attackers with low privileges can trigger a denial of service condition in the Open5GS AMF, disrupting 5G core network session management without requiring user interaction.
Affected Products
- Open5GS versions up to and including 2.7.7
- Open5GS AMF component (/src/amf/nsmf-handler.c)
- 5G core deployments using affected Open5GS releases
Discovery Timeline
- 2026-05-01 - CVE-2026-7587 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-7587
Vulnerability Analysis
The vulnerability affects the amf_nsmf_pdusession_handle_update_sm_context function in the Open5GS AMF. This function processes Session Management Function (SMF) responses related to Protocol Data Unit (PDU) session updates. Open5GS is an open-source implementation of 5G Core and Evolved Packet Core (EPC) network functions used in private mobile network deployments.
The function fails to properly handle resource shutdown or release conditions. When a malformed or unexpected message is processed, the AMF enters a state that disrupts normal operation. The flaw is reachable across the network from any client capable of submitting low-privilege Service-Based Interface (SBI) requests to the AMF.
While the impact is limited to availability, the AMF is a control-plane component responsible for registration, authentication, and mobility management. Disruption of the AMF interrupts subscriber session continuity across the 5G core.
Root Cause
The root cause is improper resource shutdown or release [CWE-404] within the PDU session update SM context handler. The code path does not adequately validate or clean up state before continuing execution, resulting in conditions that terminate or destabilize the AMF process.
Attack Vector
The attack vector is network-based with low attacker complexity. An adversary with low-privilege access to the SBI interfaces of the 5G core can send a crafted update SM context request. No user interaction is required. The exploit has been disclosed publicly through VulDB and a corresponding GitHub issue.
No verified proof-of-concept code is available in this enrichment. Refer to the GitHub Issue #4408 and VulDB Vulnerability #360540 for further technical context.
Detection Methods for CVE-2026-7587
Indicators of Compromise
- Unexpected restarts or crashes of the Open5GS amfd process correlated with inbound SBI traffic
- Abnormal volumes of Nsmf_PDUSession_UpdateSMContext requests targeting the AMF
- Error log entries referencing amf_nsmf_pdusession_handle_update_sm_context or session-context handling failures
- Sudden drops in active PDU sessions or registered User Equipment (UE) counts
Detection Strategies
- Monitor AMF process health and parse amfd logs for fatal errors and assertion failures
- Inspect HTTP/2 SBI traffic between SMF and AMF for malformed or anomalous Update SM Context payloads
- Baseline normal SBI request rates and alert on outliers from individual peers
- Correlate AMF restarts with concurrent SBI request bursts to identify potential exploitation attempts
Monitoring Recommendations
- Forward Open5GS logs to a centralized logging or SIEM platform for retention and correlation
- Track 5G control-plane key performance indicators including registration success rate and session establishment latency
- Enable network packet capture on SBI interfaces during incident response to support forensic analysis
- Alert on repeated AMF service restarts within short time windows
How to Mitigate CVE-2026-7587
Immediate Actions Required
- Identify all Open5GS deployments running version 2.7.7 or earlier and prioritize remediation of internet-exposed instances
- Restrict access to AMF SBI endpoints to trusted SMF and Network Function (NF) peers using network segmentation and firewall rules
- Enforce mutual TLS authentication between 5G core network functions to limit unauthorized request submission
- Deploy process supervision such as systemd restart policies to recover the AMF automatically after a crash
Patch Information
No official patch has been published by the Open5GS project at the time of this advisory. The project was informed through an issue report but has not responded. Track the Open5GS GitHub repository and GitHub Issue #4408 for fix availability and apply updates as soon as they are released.
Workarounds
- Place AMF SBI interfaces behind a Service Communication Proxy (SCP) or API gateway that validates and rate-limits incoming requests
- Apply strict network access control lists so only authorized 5G core peers can reach AMF endpoints
- Implement rate limiting on Nsmf_PDUSession_UpdateSMContext operations to reduce exposure to abusive request patterns
- Increase monitoring sensitivity for AMF process restarts until a vendor patch is available
# Example iptables rule restricting AMF SBI access to trusted SMF peers
iptables -A INPUT -p tcp --dport 7777 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
