CVE-2026-8730 Overview
CVE-2026-8730 is a denial-of-service vulnerability in Open5GS, an open-source implementation of 5G Core and EPC. The flaw affects versions up to 2.7.6 and resides in the ogs_sbi_nf_instance_set_id function within /lib/sbi/context.c, part of the Network Repository Function (NRF) component. An authenticated remote attacker can manipulate the nfInstanceId argument to trigger improper resource handling [CWE-404], leading to service disruption. The exploit has been publicly disclosed. The Open5GS project was notified via an issue report but has not yet responded.
Critical Impact
Remote attackers with low privileges can disrupt the availability of the Open5GS NRF component, affecting 5G Core service registration and discovery.
Affected Products
- Open5GS versions up to and including 2.7.6
- Component: Network Repository Function (NRF)
- Library: /lib/sbi/context.c
Discovery Timeline
- 2026-05-17 - CVE-2026-8730 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-8730
Vulnerability Analysis
The vulnerability resides in the ogs_sbi_nf_instance_set_id function inside the Service-Based Interface (SBI) context library used by the Open5GS Network Repository Function (NRF). The NRF is a control-plane element in the 5G Core architecture responsible for registering and discovering Network Functions (NFs). When the function processes the nfInstanceId argument supplied by a peer NF, improper resource management [CWE-404] causes the NRF to enter a faulty state. The result is a denial-of-service condition that disrupts NF registration and discovery across the 5G Core. The issue carries an EPSS score of 0.041%, indicating low predicted exploitation activity, though a public proof of concept exists.
Root Cause
The root cause is improper resource handling within ogs_sbi_nf_instance_set_id when the nfInstanceId parameter is supplied in an unexpected form. The function fails to validate or properly release associated resources, mapping to CWE-404 (Improper Resource Shutdown or Release). This results in service interruption rather than memory corruption or code execution.
Attack Vector
The attack is remote and network-based. An attacker requires low privileges, consistent with the role of an authenticated peer Network Function that can reach the NRF over the SBI. By crafting a request that manipulates the nfInstanceId field sent to the NRF, the attacker can trigger the resource handling flaw and degrade or halt NRF operation. Public exploit material has been published. See the GitHub Issue #4462 and the VulDB Vulnerability #364319 reports for technical details.
Detection Methods for CVE-2026-8730
Indicators of Compromise
- Repeated or malformed nfInstanceId values in SBI requests reaching the NRF endpoint
- Unexpected NRF process crashes, restarts, or hangs correlated with inbound SBI traffic
- Failures in NF registration (NFRegister) or discovery (NFDiscover) operations across the 5G Core
Detection Strategies
- Inspect HTTP/2 SBI traffic destined for the NRF and flag requests containing abnormal or oversized nfInstanceId parameters.
- Monitor Open5GS logs for errors generated by the ogs_sbi_nf_instance_set_id code path in /lib/sbi/context.c.
- Correlate NRF service availability metrics with source NF identities to identify anomalous peers issuing repeated suspect requests.
Monitoring Recommendations
- Enable health checks and liveness probes on the NRF container or process to detect service degradation quickly.
- Centralize Open5GS logs and SBI traffic telemetry for retention and query during incident response.
- Track baseline NF registration rates and alert on sudden spikes in registration failures.
How to Mitigate CVE-2026-8730
Immediate Actions Required
- Restrict network access to the NRF SBI interface so only trusted Network Functions can reach it.
- Apply mutual TLS (mTLS) and strict OAuth2 token validation on all SBI peers to limit who can submit nfInstanceId values.
- Place rate limits and input validation in front of the NRF using a service mesh or reverse proxy.
Patch Information
As of the last NVD update on 2026-05-19, the Open5GS project has not published a fix. Monitor the Open5GS GitHub repository and GitHub Issue #4462 for an upstream patch. Once available, upgrade beyond version 2.7.6 in all production and lab deployments.
Workarounds
- Deploy the NRF on an isolated control-plane network segment unreachable from untrusted endpoints.
- Add a validating proxy or API gateway in front of the NRF to reject malformed nfInstanceId parameters before they reach ogs_sbi_nf_instance_set_id.
- Implement automated restart and failover for the NRF process so that a successful denial-of-service attempt results in minimal downtime.
# Example: restrict NRF SBI access with iptables to trusted NF subnets only
iptables -A INPUT -p tcp --dport 7777 -s 10.10.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP
# Example: systemd auto-restart for the Open5GS NRF service
# /etc/systemd/system/open5gs-nrfd.service.d/override.conf
[Service]
Restart=always
RestartSec=5s
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
