CVE-2026-8120 Overview
CVE-2026-8120 is a denial of service vulnerability in Open5GS, an open-source 5G Core and EPC implementation. The flaw resides in the nssf_nnrf_nsselection_handle_get_from_amf_or_vnssf function within /src/nssf/nnssf-handler.c, part of the Network Slice Selection Function (NSSF) component. An authenticated remote attacker can manipulate input to trigger improper resource shutdown or release [CWE-404], disrupting NSSF operations. The issue affects Open5GS versions up to 2.7.7. A public exploit reference exists, and the project maintainers had not responded to the initial issue report at the time of disclosure.
Critical Impact
Remote attackers with low privileges can disrupt 5G core network slice selection services, affecting subscriber connectivity in deployed Open5GS environments.
Affected Products
- Open5GS versions up to and including 2.7.7
- NSSF (Network Slice Selection Function) component
- Deployments using the nnssf-handler.c request handler path
Discovery Timeline
- 2026-05-08 - CVE-2026-8120 published to NVD
- 2026-05-11 - Last updated in NVD database
Technical Details for CVE-2026-8120
Vulnerability Analysis
The vulnerability exists in the NSSF handler responsible for processing Nnssf_NSSelection_Get requests originating from the Access and Mobility Management Function (AMF) or visited NSSF (vNSSF). The affected function nssf_nnrf_nsselection_handle_get_from_amf_or_vnssf does not properly release or manage resources under specific input conditions. This aligns with [CWE-404] Improper Resource Shutdown or Release. A malformed or crafted request reaching the NSSF can drive the process into an unstable state, terminating service handling for network slice selection.
Root Cause
The root cause is improper resource management within the NSSF request handler. When the function processes a specific manipulation of inbound parameters from AMF or vNSSF peers, internal cleanup paths fail to execute correctly. This produces a denial of service condition affecting the NSSF process.
Attack Vector
The attack is executed over the network against the NSSF Service-Based Interface. The attacker requires low-level privileges, consistent with access to a peer 5G Core function or a compromised network function able to issue NSSelection requests. No user interaction is required. Successful exploitation impacts availability of the slice selection service without compromising confidentiality or integrity.
No verified proof-of-concept code is published in the realCodeExamples set. For technical details, see GitHub Issue #4432 and the VulDB entry #361907.
Detection Methods for CVE-2026-8120
Indicators of Compromise
- Unexpected termination or restart of the Open5GS NSSF process
- Spikes in failed Nnssf_NSSelection_Get service responses from the NSSF
- Crash logs referencing nssf_nnrf_nsselection_handle_get_from_amf_or_vnssf in /src/nssf/nnssf-handler.c
Detection Strategies
- Monitor NSSF availability through health checks and process supervision metrics
- Inspect SBI traffic for malformed or anomalous NSSelection requests from AMF or vNSSF peers
- Correlate AMF registration failures with NSSF outages to surface upstream impact
Monitoring Recommendations
- Enable verbose logging on the NSSF and forward logs to a centralized SIEM for correlation
- Alert on repeated NSSF crashes within short time windows indicating exploitation attempts
- Track 5G SBI HTTP/2 request rates and error codes against baseline traffic patterns
How to Mitigate CVE-2026-8120
Immediate Actions Required
- Inventory all Open5GS deployments and identify instances running versions up to 2.7.7
- Restrict NSSF Service-Based Interface exposure to trusted 5G Core network functions only
- Apply network segmentation between core network functions and untrusted networks
- Track the upstream Open5GS repository for a patched release
Patch Information
At the time of disclosure, the Open5GS maintainers had not yet responded to the issue report referenced in GitHub Issue #4432. No vendor advisory or fixed version is available. Monitor the upstream repository for commits referencing nnssf-handler.c and apply the fix once released.
Workarounds
- Enforce mutual TLS authentication between SBI peers to limit which functions can reach the NSSF
- Apply rate limiting and request validation at an SBI proxy or service mesh in front of the NSSF
- Configure process supervision to automatically restart the NSSF on failure to reduce service downtime
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
