The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-7601

CVE-2026-7601: Open5GS AMF DoS Vulnerability Explained

CVE-2026-7601 is a denial of service flaw in Open5GS AMF component affecting versions up to 2.7.6. Remote attackers can exploit this to disrupt service availability. This article covers technical details, impact, and mitigation.

Published: May 7, 2026

CVE-2026-7601 Overview

CVE-2026-7601 is a denial-of-service vulnerability in Open5GS, an open-source 5G core and EPC implementation. The flaw resides in the Access and Mobility Management Function (AMF) component, specifically in src/amf/gmm-handler.c. An authenticated remote attacker can manipulate the reg_type argument in a 5GS registration request to trigger a denial-of-service condition. The issue is classified under CWE-404: Improper Resource Shutdown or Release. Open5GS versions up to and including 2.7.6 are affected, and the maintainers addressed the issue in version 2.7.7 via commit ebc66942b6f8f1fab2d640e71cf4e9f1a423b426.

Critical Impact

A remote authenticated attacker can disrupt 5G AMF availability by sending a registration request containing an invalid reg_type value, impacting subscriber registration across the mobile core.

Affected Products

  • Open5GS versions up to and including 2.7.6
  • Open5GS AMF (Access and Mobility Management Function) component
  • 5G Core deployments built on the affected Open5GS releases

Discovery Timeline

  • 2026-05-02 - CVE-2026-7601 published to NVD
  • 2026-05-05 - Last updated in NVD database

Technical Details for CVE-2026-7601

Vulnerability Analysis

The vulnerability lives in the AMF's 5GS Mobility Management (5GMM) handler. When a User Equipment (UE) sends a registration request, the AMF parses a reg_type value that indicates initial registration, mobility update, periodic update, or emergency registration. The unpatched code branches directly on registration_type->value without normalizing reserved or unused encodings. According to 3GPP TS 24.501 Table 9.11.3.7.1, unused registration-type values must be treated as initial registration. The AMF instead permits a placeholder value of 0 to propagate into downstream context-transfer logic, where assertions on amf_ue->nas.registration.value fail and terminate the AMF process.

Root Cause

The root cause is missing input normalization on a NAS protocol field [CWE-404]. The handler in gmm-handler.c does not coerce invalid reg_type values into the specification-mandated default before invoking subsequent procedures. Functions such as the namf context-transfer builder in src/amf/namf-build.c rely on ogs_assert() checks that abort the process when nas.registration.value is zero, converting a malformed input into a fatal failure of the network function.

Attack Vector

The attack is performed remotely over the 5G NAS interface. An attacker controlling or impersonating a UE, or a compromised gNB peer, sends a registration request with a reserved or zero reg_type value. Authentication context at the radio layer is required (PR:L), but no user interaction is needed. Successful exploitation halts the AMF and disrupts registration, mobility, and session management for all subscribers served by the affected instance.

c
// Patch excerpt from src/amf/gmm-handler.c
             sizeof(ogs_nas_5gs_registration_type_t));
     amf_ue->nas.message_type = OGS_NAS_5GS_REGISTRATION_REQUEST;
 
-    if (registration_type->value == OGS_NAS_5GS_REGISTRATION_TYPE_INITIAL) {
+    /*
+     * TS 24.501 Table 9.11.3.7.1:
+     * Unused registration-type encodings shall be interpreted as
+     * "initial registration" by the network.
+     *
+     * Normalize here so subsequent transfer logic has a stable basis.
+     */
+    if (amf_ue->nas.registration.value == 0) {
+        ogs_error("Normalize reg_type[0] to INITIAL");
+        amf_ue->nas.registration.value = OGS_NAS_5GS_REGISTRATION_TYPE_INITIAL;
+    }
+
+    if (amf_ue->nas.registration.value ==
+            OGS_NAS_5GS_REGISTRATION_TYPE_INITIAL) {

Source: GitHub Commit ebc66942. The patch normalizes a zero reg_type to OGS_NAS_5GS_REGISTRATION_TYPE_INITIAL before any downstream logic runs, preventing the assertion-driven crash.

Detection Methods for CVE-2026-7601

Indicators of Compromise

  • AMF log entries containing Normalize reg_type[0] to INITIAL after upgrading to 2.7.7, indicating attempted exploitation patterns from clients sending invalid reg_type values.
  • Unexpected AMF process restarts or ogs_assert failures referencing amf_ue->nas.registration.value in pre-patch deployments.
  • Repeated 5GS registration request bursts from a single gNB or UE identifier preceding AMF instability.

Detection Strategies

  • Inspect NAS-5GMM Registration Request messages on the N1/N2 interfaces for reg_type values outside the four valid encodings defined in 3GPP TS 24.501.
  • Correlate AMF crash or restart events with preceding registration traffic from specific UE Subscription Concealed Identifiers (SUCIs) or gNB endpoints.
  • Baseline AMF availability metrics and alert on abrupt drops in successful registration completion rates.

Monitoring Recommendations

  • Forward Open5GS AMF logs to a centralized analytics platform and alert on ogs_error and assertion failures involving gmm-handler.c or namf-build.c.
  • Monitor process supervisor events (systemd, Kubernetes liveness probes) for repeated AMF restarts within short intervals.
  • Track NAS message rates per gNB and per UE to identify malformed-message floods consistent with denial-of-service probing.

How to Mitigate CVE-2026-7601

Immediate Actions Required

  • Upgrade Open5GS to version 2.7.7 or later, which contains commit ebc66942b6f8f1fab2d640e71cf4e9f1a423b426.
  • Inventory all 5G core deployments to confirm AMF versions and prioritize patching of internet-adjacent or multi-tenant instances first.
  • Restrict N2 and NAS connectivity to trusted gNB peers using mutual TLS and network segmentation while patches are rolled out.

Patch Information

The fix is available in the official GitHub Release v2.7.7. The patch normalizes invalid reg_type values to initial registration in src/amf/gmm-handler.c and adds defensive assertions in src/amf/namf-build.c. Tracking is available in GitHub Issue #4321 and VulDB Vulnerability #360558.

Workarounds

  • Deploy a NAS-aware filter or signaling firewall in front of the AMF to drop registration requests with reserved or zero reg_type values.
  • Configure AMF process supervision for rapid automated restart to limit downtime if exploitation occurs before patching completes.
  • Limit gNB peering to authenticated, known nodes via IPsec and operator-issued certificates to reduce the attacker population.
bash
# Verify installed Open5GS version and upgrade
open5gs-amfd -v

# Build and install patched release from source
git clone https://github.com/open5gs/open5gs.git
cd open5gs
git checkout v2.7.7
meson build --prefix=`pwd`/install
ninja -C build install

# Restart the AMF service after upgrade
systemctl restart open5gs-amfd
systemctl status open5gs-amfd

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechOpen5gs
  • SeverityMEDIUM
  • CVSS Score5.3
  • EPSS Probability0.06%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-404
  • Technical References
  • GitHub Open5GS Repository
  • GitHub Commit ebc66942
  • GitHub Issue #4321
  • GitHub Release v2.7.7
  • VulDB Submission #805675
  • VulDB Vulnerability #360558
  • VulDB CTI #360558
  • Related CVEs
  • CVE-2026-7585: Open5GS AMF Component DoS Vulnerability
  • CVE-2026-7586: Open5gs Open5gs DoS Vulnerability
  • CVE-2026-7587: Open5GS AMF DoS Vulnerability
  • CVE-2026-7707: Open5GS UDR DoS Vulnerability Disclosed
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English