CVE-2026-8186 Overview
CVE-2026-8186 is an out-of-bounds read vulnerability in Open5GS versions up to 2.7.7. The flaw resides in the ogs_sbi_client_send_via_scp_or_sepp function within lib/sbi/client.c, which is part of the Network Function (NF) component. An attacker can trigger the issue remotely by sending a callback URI that lacks a path component, causing the Service Based Interface (SBI) client to read outside the bounds of an allocated buffer. The vulnerability is categorized under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). Open5GS maintainers addressed the issue in commit d5bc487fcf9ea87d2b03f2ef95123af344773bfb.
Critical Impact
Remote, unauthenticated attackers can crash Open5GS Network Function instances, disrupting 5G core service availability.
Affected Products
- Open5GS versions up to and including 2.7.7
- Open5GS SBI library (lib/sbi/client.c)
- Open5GS Network Function (NF) components relying on SCP/SEPP routing
Discovery Timeline
- 2026-05-09 - CVE-2026-8186 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-8186
Vulnerability Analysis
The defect lives in the Open5GS SBI client routing logic used to forward requests through a Service Communication Proxy (SCP) or Security Edge Protection Proxy (SEPP). When ogs_sbi_client_send_via_scp_or_sepp processes a request, it calls ogs_sbi_getpath_from_uri to extract the path portion of the callback URI. The pre-patch code did not check the boolean return value of that helper. When the URI lacks a path component, the helper returns false and leaves the path variable uninitialized or invalid, but execution continues. The subsequent ogs_assert(path) and ogs_msprintf calls then operate on unsafe memory, producing an out-of-bounds read and a crash of the Network Function process.
Root Cause
The root cause is missing return-value validation on ogs_sbi_getpath_from_uri. Callback URIs supplied by peer NFs are not sanitized before parsing, so a malformed URI without a path segment propagates directly into string formatting routines that assume a valid path pointer.
Attack Vector
The attack is network-reachable and requires no authentication or user interaction. An attacker who can deliver an SBI request with a crafted callback URI to a vulnerable Open5GS NF triggers the out-of-bounds read on the receiving end. The result is a denial of service against the affected NF, which can ripple through the 5G core's signaling plane.
ogs_assert(apiroot);
rc = ogs_sbi_getpath_from_uri(&path, request->h.uri);
+ if (rc == false) {
+ ogs_error("Cannot extract path from URI [%s]", request->h.uri);
+ ogs_free(apiroot);
+ return false;
+ }
ogs_assert(path);
request->h.uri = ogs_msprintf("%s/%s", apiroot, path);
Source: Open5GS commit d5bc487fcf9ea87d2b03f2ef95123af344773bfb. The patch adds an explicit rc == false check, logs the malformed URI, frees apiroot, and aborts the send operation before the unsafe read occurs.
Detection Methods for CVE-2026-8186
Indicators of Compromise
- Open5GS error log entries containing Cannot extract path from URI after the patch is applied, indicating malformed SBI callback URIs reaching the NF.
- Unexpected crashes or restarts of Open5GS NF processes such as AMF, SMF, or NRF tied to SBI client activity.
- Inbound SBI HTTP/2 requests carrying callback URIs that contain only a scheme and authority with no path component.
Detection Strategies
- Inspect HTTP/2 SBI traffic on the 5G core service mesh for callback URIs missing a path segment and alert on anomalous URI shapes reaching SCP or SEPP relays.
- Correlate NF process termination events with preceding inbound SBI requests to identify request-triggered crashes.
- Monitor Open5GS application logs for assertion failures or abnormal exits from functions in lib/sbi/client.c.
Monitoring Recommendations
- Forward Open5GS NF logs and host telemetry into a centralized analytics pipeline for crash and error correlation.
- Track SBI peer behavior and rate of malformed URI rejections per source NF to surface scanning or fuzzing activity.
- Baseline normal NF process uptime and alert on restart frequency anomalies in the 5G control plane.
How to Mitigate CVE-2026-8186
Immediate Actions Required
- Apply Open5GS commit d5bc487fcf9ea87d2b03f2ef95123af344773bfb or upgrade to a release that includes pull request #4496.
- Inventory all Open5GS deployments at or below version 2.7.7 and prioritize patching production NFs exposed to SBI peers.
- Restrict SBI network reachability to trusted NFs using network policy, mutual TLS, and segmentation.
Patch Information
The upstream fix is published in the Open5GS repository as commit d5bc487fcf9ea87d2b03f2ef95123af344773bfb, merged via Open5GS pull request #4496. The patch validates the return value of ogs_sbi_getpath_from_uri, logs the offending URI, releases the apiroot allocation, and returns false instead of dereferencing an invalid path pointer. See the Open5GS GitHub repository for release artifacts and the original GitHub issue #4491 for additional context.
Workarounds
- Place an SBI-aware reverse proxy in front of Open5GS NFs to reject HTTP/2 requests whose callback URIs lack a path component.
- Limit SBI exposure to a private control-plane network and enforce mutual TLS between NFs to reduce the attacker pool.
- Enable process supervision and automatic restart for Open5GS NFs to reduce service downtime while patching is scheduled.
# Update Open5GS source to the patched commit and rebuild
git clone https://github.com/open5gs/open5gs.git
cd open5gs
git checkout d5bc487fcf9ea87d2b03f2ef95123af344773bfb
meson build --prefix=`pwd`/install
ninja -C build
ninja -C build install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
