CVE-2026-8728 Overview
CVE-2026-8728 is a denial-of-service vulnerability in Open5GS versions up to 2.7.7. The flaw resides in the ogs_sbi_discovery_option_parse_plmn_list function within the /lib/sbi/conv.c library file, which is part of the Network Repository Function (NRF) component. Attackers can manipulate the target-plmn-list argument to trigger a denial of service against the affected service. The attack is executable remotely and requires only low privileges. According to the disclosure, the exploit has been made public, and the Open5GS project was informed through an issue report but has not responded at the time of publication.
Critical Impact
Remote attackers with low-privilege access can disrupt the availability of Open5GS NRF services by sending crafted target-plmn-list input.
Affected Products
- Open5GS versions up to and including 2.7.7
- Network Repository Function (NRF) component
- Service Based Interface (SBI) library /lib/sbi/conv.c
Discovery Timeline
- 2026-05-17 - CVE-2026-8728 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-8728
Vulnerability Analysis
The vulnerability is classified under [CWE-404] Improper Resource Shutdown or Release. It affects the Service Based Interface (SBI) layer of Open5GS, an open-source implementation of 5G Core and EPC. The defective function ogs_sbi_discovery_option_parse_plmn_list does not properly handle parsing of the target-plmn-list parameter. When an attacker submits malformed or unexpected input, the function fails to release resources or terminates abnormally, resulting in service disruption of the NRF. The NRF is a central component in 5G core networks, responsible for service discovery and registration among Network Functions (NFs).
Root Cause
The root cause is improper resource handling within the Public Land Mobile Network (PLMN) list parsing logic in conv.c. The function processes the target-plmn-list argument without sufficient validation or cleanup paths, leading to a denial-of-service condition when malformed input is supplied. Improper resource shutdown allows external input to influence the runtime stability of the NRF process.
Attack Vector
The attack vector is network-based. An attacker holding low-privilege access to the SBI interface sends crafted requests targeting NRF discovery endpoints, supplying malicious target-plmn-list values. No user interaction is required. Because the SBI typically operates over HTTP/2 between 5G core components, exposure of these interfaces to untrusted networks or compromised internal NFs amplifies the impact. Successful exploitation degrades availability of NF discovery, disrupting registration and service orchestration in the 5G core.
// No verified proof-of-concept code available.
// Refer to GitHub Issue #4458 and VulDB #364317 for technical disclosure details.
Detection Methods for CVE-2026-8728
Indicators of Compromise
- Unexpected termination or restart of Open5GS NRF processes following SBI requests containing target-plmn-list parameters
- Repeated malformed NF discovery requests against NRF endpoints from a single or limited set of sources
- Abnormal increases in NRF error logs referencing ogs_sbi_discovery_option_parse_plmn_list or conv.c
Detection Strategies
- Monitor NRF service uptime and crash frequency for anomalies correlated with inbound SBI traffic
- Inspect HTTP/2 traffic on SBI interfaces for malformed or oversized target-plmn-list query parameters
- Apply log-based alerting on Open5GS error output indicating parsing failures or abnormal terminations in the SBI library
Monitoring Recommendations
- Aggregate Open5GS logs centrally and alert on repeated NRF crashes or restarts
- Track NF discovery request rates and error responses to identify abuse patterns
- Continuously monitor SBI interface exposure to ensure it is restricted to trusted internal segments
How to Mitigate CVE-2026-8728
Immediate Actions Required
- Restrict access to the NRF SBI interface to authenticated, trusted 5G core network functions only
- Place Open5GS NRF behind network segmentation and firewall rules that block untrusted sources
- Audit existing Open5GS deployments to confirm whether versions up to 2.7.7 are in production
Patch Information
At the time of publication, no official patch has been released. The Open5GS project was informed through an issue report but has not yet responded. Administrators should monitor the GitHub Open5GS Repository and GitHub Issue #4458 for updates. Additional disclosure details are available at VulDB Vulnerability #364317.
Workarounds
- Filter or rate-limit inbound SBI requests containing target-plmn-list parameters at a reverse proxy or service mesh layer
- Deploy input validation rules at an API gateway in front of Open5GS NRF to reject malformed PLMN list payloads
- Limit exposure of the NRF to the management plane and authenticated NF peers only
# Example: restrict NRF SBI interface to trusted subnet using iptables
iptables -A INPUT -p tcp --dport 7777 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
