CVE-2026-8729 Overview
CVE-2026-8729 is a denial of service vulnerability in Open5GS through version 2.7.7. The flaw resides in an unspecified function within the /lib/sbi/message.c library used by the Network Repository Function (NRF) component. Attackers can manipulate the service-names or snssais arguments to trigger the condition remotely. The exploit is publicly available, and the project has not responded to the issue report at the time of disclosure. Open5GS is an open-source implementation of 5G Core and EPC, making this issue relevant to mobile network operators and researchers running test environments.
Critical Impact
Authenticated remote attackers can disrupt the NRF component of Open5GS deployments by crafting malicious service-names or snssais values, causing denial of service against 5G core signaling.
Affected Products
- Open5GS versions up to and including 2.7.7
- Open5GS NRF (Network Repository Function) component
- Deployments using /lib/sbi/message.c for Service-Based Interface message handling
Discovery Timeline
- 2026-05-17 - CVE-2026-8729 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-8729
Vulnerability Analysis
The vulnerability affects the Service-Based Interface (SBI) message parsing logic within /lib/sbi/message.c in Open5GS. The NRF acts as the central service discovery and registration endpoint within a 5G Core (5GC) deployment. When the NRF processes SBI messages containing service-names or snssais (Single Network Slice Selection Assistance Information) parameters, improper resource handling leads to a denial of service condition. The weakness is categorized under [CWE-404] Improper Resource Shutdown or Release. Public exploit details are available, and the upstream project has not issued a fix at the time of CVE publication.
Root Cause
The root cause lies in how the SBI message handler in message.c processes the service-names and snssais fields. Manipulated argument values trigger a resource handling failure that crashes or stalls the NRF process. Because the NRF mediates service discovery for other 5G Core network functions, an outage propagates across dependent components such as AMF, SMF, and UPF.
Attack Vector
The attack requires network access to the NRF SBI endpoint and low-privilege authentication, consistent with the CVSS vector indicating AV:N and PR:L. An attacker crafts an SBI HTTP/2 request containing malformed service-names or snssais values targeting the NRF. The malformed message triggers the resource handling defect, resulting in availability loss for the NRF. No user interaction is required, and the attack does not yield confidentiality or integrity impact. Technical details and references are available in the GitHub Issue #4460 and the VulDB Vulnerability #364318 entries.
Detection Methods for CVE-2026-8729
Indicators of Compromise
- Unexpected NRF process crashes or restarts in Open5GS logs coinciding with inbound SBI requests
- SBI HTTP/2 requests containing malformed or oversized service-names or snssais field values
- Service discovery failures reported by AMF, SMF, or other network functions registered with the NRF
Detection Strategies
- Inspect HTTP/2 SBI traffic targeting NRF endpoints for anomalous service-names or snssais payload structures
- Correlate NRF availability drops with concurrent SBI request bursts from low-privilege client identities
- Apply file integrity monitoring on /lib/sbi/message.c and related Open5GS binaries to identify unauthorized modifications
Monitoring Recommendations
- Track NRF process uptime, crash counts, and core dump generation via host-level telemetry
- Forward Open5GS logs to a centralized log analytics platform and alert on repeated message parsing errors
- Monitor 5GC control-plane health metrics, including registration request failure rates across network functions
How to Mitigate CVE-2026-8729
Immediate Actions Required
- Restrict network access to the NRF SBI interface using firewall rules so only authorized 5G Core network functions can reach it
- Audit accounts and clients permitted to communicate with the NRF and revoke unnecessary low-privilege access
- Monitor the Open5GS GitHub repository and Issue #4460 for an upstream fix
Patch Information
No official patch is available at the time of CVE publication. The Open5GS maintainers had not responded to the initial issue report. Operators running Open5GS 2.7.7 or earlier should track upstream commits to lib/sbi/message.c and apply any community-provided fixes after independent review. Refer to the VulDB CTI for #364318 for additional context.
Workarounds
- Deploy the NRF on an isolated management network segment that excludes untrusted clients
- Place an SBI-aware reverse proxy or API gateway in front of the NRF to validate service-names and snssais field structures before forwarding requests
- Implement rate limiting and request size constraints on the NRF endpoint to reduce exposure until a fix is released
- Maintain process supervision (for example, systemd restart policies) to recover NRF availability after a crash
# Example: restrict NRF SBI port (default 7777) to trusted 5GC subnet
sudo iptables -A INPUT -p tcp --dport 7777 -s 10.10.0.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 7777 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
