CVE-2026-8122 Overview
CVE-2026-8122 is a denial of service vulnerability in Open5GS versions up to 2.7.7. The flaw resides in the ogs_sbi_discovery_option_add_service_names function within the /lib/sbi/message.c library file, which is part of the Network Slice Selection Function (NSSF) component. A remote authenticated attacker with low privileges can trigger the condition to disrupt service availability. The exploit details have been disclosed publicly, increasing the risk of opportunistic abuse against exposed 5G core deployments. The Open5GS project was notified through an upstream issue report but has not responded at the time of disclosure.
Critical Impact
Remote attackers can disrupt the NSSF service in Open5GS deployments, affecting 5G core network slice selection and degrading subscriber service availability.
Affected Products
- Open5GS versions up to and including 2.7.7
- Open5GS NSSF component (/lib/sbi/message.c)
- 5G core deployments using the affected Service Based Interface (SBI) library
Discovery Timeline
- 2026-05-08 - CVE-2026-8122 published to NVD
- 2026-05-11 - Last updated in NVD database
Technical Details for CVE-2026-8122
Vulnerability Analysis
The vulnerability affects the ogs_sbi_discovery_option_add_service_names function inside the Open5GS Service Based Interface (SBI) message handling library. This function processes service name discovery options exchanged between 5G core network functions. Improper handling of resource allocation or release within this code path leads to a denial of service condition, classified under [CWE-404] Improper Resource Shutdown or Release.
The NSSF (Network Slice Selection Function) is responsible for selecting network slices for user equipment in 5G networks. Disruption of this component impairs slice selection logic, which can cascade into subscriber registration failures and degraded mobile service.
Root Cause
The root cause is improper resource management within ogs_sbi_discovery_option_add_service_names. When the function processes malformed or unexpected service name input, it fails to correctly release or constrain resources. The error path leads to abnormal termination or resource exhaustion in the NSSF process handling SBI traffic.
Attack Vector
The attack is performed over the network against an Open5GS NSSF endpoint exposing the SBI. The attacker requires low-level privileges, typically a position within the 5G core signaling plane or access to an interconnected network function. The attacker sends a crafted SBI discovery message referencing service names that trigger the flawed code path in message.c. Exploitation results in a denial of service against the NSSF component.
No verified public proof-of-concept code is available in the references. The vulnerability is described in GitHub Issue #4435 and tracked in VulDB Vulnerability #361909.
Detection Methods for CVE-2026-8122
Indicators of Compromise
- Unexpected NSSF process restarts or crashes in Open5GS logs
- Abnormal SBI HTTP/2 requests targeting NSSF service discovery endpoints with malformed service-names parameters
- Repeated NF (Network Function) discovery failures correlated with NSSF unavailability
- Subscriber slice selection errors propagating to AMF and SMF logs
Detection Strategies
- Monitor NSSF process health and restart counts using systemd or container orchestration metrics
- Inspect SBI traffic for malformed or anomalous service-name discovery options on the N22 reference point
- Apply log-based detection rules that correlate NSSF service termination events with inbound SBI requests
- Baseline normal SBI discovery traffic and alert on volumetric or structural deviations
Monitoring Recommendations
- Enable verbose logging in the Open5GS NSSF and forward logs to a centralized SIEM for correlation
- Track availability and response latency of NSSF endpoints with synthetic SBI probes
- Alert on repeated client errors or connection resets originating from peer Network Functions toward the NSSF
- Review network captures of the SBI plane periodically to identify malformed discovery options
How to Mitigate CVE-2026-8122
Immediate Actions Required
- Restrict network access to the Open5GS SBI plane so only authorized Network Functions can reach the NSSF
- Place NSSF endpoints behind mutual TLS authentication as specified by 3GPP TS 33.501
- Apply rate limiting on SBI discovery requests to reduce the impact of abusive traffic
- Monitor the GitHub Open5GS Repository for an upstream fix and apply it once published
Patch Information
At the time of publication, the Open5GS project has not released a patch addressing CVE-2026-8122. The issue was reported upstream via GitHub Issue #4435 but remains unaddressed. Operators should track the repository for commits modifying lib/sbi/message.c and the ogs_sbi_discovery_option_add_service_names function.
Workarounds
- Segment the 5G core SBI network using strict firewall rules limiting NSSF reachability to known peer NFs
- Deploy an SBI-aware reverse proxy or Service Communication Proxy (SCP) capable of validating discovery option payloads
- Increase NSSF process supervision so the service is restarted automatically after a crash, reducing downtime
- Disable or restrict unused NSSF service discovery features where operationally feasible
# Example: restrict NSSF SBI access to known Network Function subnets using nftables
nft add table inet open5gs
nft add chain inet open5gs input { type filter hook input priority 0 \; policy drop \; }
nft add rule inet open5gs input ip saddr { 10.10.0.0/24 } tcp dport 7777 accept
nft add rule inet open5gs input ct state established,related accept
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
