CVE-2026-8123 Overview
CVE-2026-8123 affects Open5GS through version 2.7.7, an open-source implementation of 5G Core and EPC. The flaw resides in the ogs_sbi_discovery_option_add_snssais function within /lib/sbi/message.c, part of the Network Slice Selection Function (NSSF) component. An authenticated remote attacker can manipulate input to trigger a denial of service condition against the affected service. The issue is tracked under CWE-404: Improper Resource Shutdown or Release. The exploit has been publicly disclosed, and the project maintainers were notified through a public issue report but have not yet responded.
Critical Impact
Remote attackers with low privileges can disrupt availability of the NSSF service in Open5GS deployments, impacting 5G network slice discovery operations.
Affected Products
- Open5GS versions up to and including 2.7.7
- Open5GS NSSF component (/lib/sbi/message.c)
- 5G Core deployments using Open5GS Service Based Interface (SBI) discovery
Discovery Timeline
- 2026-05-08 - CVE-2026-8123 published to NVD
- 2026-05-11 - Last updated in NVD database
Technical Details for CVE-2026-8123
Vulnerability Analysis
The vulnerability exists in the Service Based Interface (SBI) message handling code of Open5GS. Specifically, ogs_sbi_discovery_option_add_snssais in /lib/sbi/message.c processes Single Network Slice Selection Assistance Information (S-NSSAI) entries used for discovery option negotiation in the NSSF. Improper resource handling during this process allows a remote attacker to cause the service to enter a denial-of-service state.
The NSSF in a 5G Core handles slice selection requests from other network functions through HTTP/2-based SBI calls. Disrupting this component degrades slice discovery for downstream consumers such as AMF and NRF. Because the attack requires only low privileges over the network and no user interaction, any peer network function or attacker with access to SBI endpoints can trigger the condition.
Root Cause
The root cause is improper resource shutdown or release ([CWE-404]) within the S-NSSAI discovery option processing path. Specific code-level details are tracked in the upstream GitHub Issue #4436, where the behavior was reported to the Open5GS maintainers.
Attack Vector
The attack is initiated over the network against an SBI endpoint exposed by the NSSF. The attacker crafts a malformed or abusive discovery request that reaches ogs_sbi_discovery_option_add_snssais, triggering the resource handling defect and degrading service availability. No memory corruption or confidentiality impact has been reported; the resulting impact is limited to availability of the affected component.
The vulnerability has been publicly disclosed, but no working exploit code has been linked from the NVD record. See the VulDB entry #361910 for the public disclosure record.
Detection Methods for CVE-2026-8123
Indicators of Compromise
- Unexpected restarts or crash logs from the Open5GS NSSF process during SBI discovery operations.
- Anomalous SBI HTTP/2 requests targeting the NSSF discovery endpoint with malformed S-NSSAI option payloads.
- Repeated failed slice discovery requests from a single source peer or IP address.
Detection Strategies
- Inspect SBI traffic for nnssf-nsselection discovery option messages containing unusual or repeated S-NSSAI structures.
- Correlate NSSF process termination events with preceding inbound SBI requests to identify trigger patterns.
- Enable verbose logging in Open5GS to capture parsing errors emitted from /lib/sbi/message.c during discovery option processing.
Monitoring Recommendations
- Monitor availability and restart counts of the NSSF service and alert on abnormal restart frequency.
- Track SBI peer behavior and rate-limit unauthenticated or unexpected sources attempting NSSF discovery calls.
- Ingest Open5GS logs into a centralized SIEM or data lake to enable historical correlation of discovery failures with peer identity.
How to Mitigate CVE-2026-8123
Immediate Actions Required
- Restrict network access to NSSF SBI endpoints so they are reachable only by authorized 5G Core network functions.
- Apply strict mutual TLS and peer authentication on SBI interfaces to prevent unauthorized callers from reaching the vulnerable function.
- Track GitHub Issue #4436 for upstream maintainer responses and patch availability.
Patch Information
At the time of publication, the Open5GS project had been notified through a public issue report but had not released a fix. Operators should monitor the Open5GS GitHub repository for updates beyond version 2.7.7 and upgrade once a patched release is available.
Workarounds
- Place NSSF behind a service mesh or API gateway that validates S-NSSAI option structures before forwarding requests.
- Implement rate limiting and connection quotas on SBI peers to slow exploitation attempts.
- Deploy automatic process supervision so the NSSF restarts immediately after a crash, reducing the window of unavailability while a patch is pending.
# Example: restrict NSSF SBI listener to trusted peer subnet using iptables
iptables -A INPUT -p tcp --dport 7777 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
