CVE-2026-7707 Overview
CVE-2026-7707 affects Open5GS versions up to 2.7.7, an open-source implementation of 5G Core and EPC components. The vulnerability resides in the udr_nudr_dr_handle_subscription_context function within /src/udr/nudr-handler.c, part of the Unified Data Repository (UDR) component. Manipulation of the pei argument triggers a denial-of-service condition. The flaw is exploitable remotely by an attacker holding low-level privileges, and a public exploit has been disclosed. The Open5GS project was notified through an issue report but has not responded at the time of publication. The weakness is categorized under CWE-404: Improper Resource Shutdown or Release.
Critical Impact
Remote attackers with low privileges can crash the UDR component, disrupting subscriber data services within affected 5G core deployments.
Affected Products
- Open5GS versions up to and including 2.7.7
- Unified Data Repository (UDR) component
- Deployments using nudr-handler.c subscription context handling
Discovery Timeline
- 2026-05-03 - CVE-2026-7707 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-7707
Vulnerability Analysis
The vulnerability exists in the Open5GS UDR component, which stores subscriber data in 5G core networks. The udr_nudr_dr_handle_subscription_context function in /src/udr/nudr-handler.c improperly handles the Permanent Equipment Identifier (pei) argument. When an attacker submits a crafted pei value, the function fails to release resources or validate input correctly, causing the UDR process to crash or become unresponsive. This disrupts subscriber data lookups across the 5G core, impacting authentication, session management, and policy decisions that depend on UDR availability. The Network Data Repository (Nudr) interface exposes this code path to other Network Functions, which extends the attack surface across the service-based architecture.
Root Cause
The root cause is improper resource shutdown or release [CWE-404] within the UDR subscription context handler. The pei argument is processed without sufficient validation or safe lifecycle management. Malformed or unexpected input causes the function to leave resources in an inconsistent state, leading to denial of service.
Attack Vector
The attack is launched over the network against the Nudr service interface. An adversary with low-level authenticated access on the 5G service-based interface (SBI) sends a request with a manipulated pei parameter to the UDR. No user interaction is required. A public exploit has been disclosed, lowering the barrier for opportunistic abuse against exposed Open5GS deployments. EPSS data indicates a probability of 0.057% with a percentile of 17.72.
No verified exploitation code is available from upstream sources. Refer to GitHub Issue #4410 and GitHub Issue #4411 for the original technical reports.
Detection Methods for CVE-2026-7707
Indicators of Compromise
- Unexpected crashes or restarts of the Open5GS UDR process accompanied by stack traces referencing udr_nudr_dr_handle_subscription_context
- Malformed or anomalous pei values in Nudr_DataRepository service requests captured in SBI traffic logs
- Repeated subscription context retrieval failures originating from a single peer Network Function
Detection Strategies
- Monitor UDR application logs for fatal errors, segmentation faults, or abrupt termination events tied to subscription handling
- Inspect Nudr HTTP/2 traffic for invalid or oversized pei fields in subscription context messages
- Correlate 5G core service availability metrics with spikes in failed subscriber data lookups
Monitoring Recommendations
- Enable verbose logging for the UDR component and forward logs to a centralized analytics platform
- Track process uptime and restart frequency for open5gs-udrd as a stability baseline
- Alert on unauthorized peers attempting to query the Nudr interface from outside the trusted core network
How to Mitigate CVE-2026-7707
Immediate Actions Required
- Restrict network access to the UDR Nudr interface so that only authorized 5G Network Functions can reach it
- Audit all Open5GS deployments for versions at or below 2.7.7 and prioritize isolation of internet-exposed instances
- Apply rate limiting and input validation at the SBI ingress to filter malformed pei values
Patch Information
No official patch has been released by the Open5GS project at the time of publication. Track the Open5GS GitHub repository and the open issues #4410 and #4411 for upstream fix activity. Vulnerability tracking is also available at VulDB #360883.
Workarounds
- Deploy network segmentation to ensure the UDR is reachable only from internal 5G core components
- Place a service mesh or API gateway in front of the UDR to validate Nudr request schemas before forwarding
- Implement automated process supervision to restart the UDR after a crash and reduce service downtime while a patch is pending
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
