CVE-2026-8731 Overview
CVE-2026-8731 is a denial of service vulnerability in Open5GS versions up to 2.7.7. The flaw resides in the ogs_sbi_client_add function within /lib/sbi/client.c, a component of the Network Repository Function (NRF). Attackers can manipulate the client_pool argument to trigger resource management failures [CWE-404], degrading the availability of the Service Based Interface (SBI) client subsystem.
The vulnerability is exploitable remotely and requires low privileges. The exploit details have been disclosed publicly, increasing the likelihood of opportunistic abuse against exposed 5G core deployments. The Open5GS project was notified through an issue report but has not responded at the time of publication.
Critical Impact
Remote attackers with low privileges can disrupt Open5GS NRF availability, affecting registration and discovery of network functions in 5G core deployments.
Affected Products
- Open5GS versions up to and including 2.7.7
- Open5GS NRF (Network Repository Function) component
- Open5GS SBI client library (/lib/sbi/client.c)
Discovery Timeline
- 2026-05-17 - CVE-2026-8731 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-8731
Vulnerability Analysis
The vulnerability resides in the ogs_sbi_client_add function in the Open5GS Service Based Interface (SBI) library. This function handles the addition of SBI clients to the internal client_pool structure used by the NRF for tracking registered network functions. Improper resource handling in this code path allows an attacker to influence pool management and force a denial of service condition.
The Open5GS NRF is a core component of 5G Service Based Architecture (SBA). It maintains the registry of available network functions and facilitates service discovery between them. Disruption of the NRF cascades to dependent components such as the Access and Mobility Management Function (AMF) and Session Management Function (SMF).
Root Cause
The root cause maps to [CWE-404] Improper Resource Shutdown or Release. The ogs_sbi_client_add function fails to properly handle the lifecycle of objects added to client_pool. Attacker-controlled inputs trigger resource exhaustion or invalid state in the SBI client subsystem.
Attack Vector
The attack vector is network-based and requires low privileges. An attacker capable of interacting with the SBI interface of an Open5GS NRF can manipulate the client_pool argument through crafted requests to ogs_sbi_client_add. The vulnerability does not require user interaction, and exploitation has been disclosed publicly through the GitHub Issue #4464 report.
No verified exploitation code is available. See the VulDB #364320 entry and the Open5GS Repository for technical context.
Detection Methods for CVE-2026-8731
Indicators of Compromise
- Abnormal termination or restart events for the Open5GS NRF process
- Sudden growth in SBI client pool size or memory consumption on the NRF host
- Failed service discovery requests from AMF, SMF, or other 5G network functions
- Repeated SBI client registration attempts from a single source within short intervals
Detection Strategies
- Monitor Open5GS NRF logs for errors originating in ogs_sbi_client_add and client.c
- Baseline normal SBI registration rates and alert on deviations
- Inspect HTTP/2 traffic to the NRF SBI endpoint for malformed or anomalous client registration payloads
- Correlate NRF restarts with upstream SBI request patterns to identify triggering sources
Monitoring Recommendations
- Track NRF process uptime, CPU, and memory metrics with alerting on resource spikes
- Capture network telemetry on the SBI plane and forward to a centralized analytics platform
- Enable verbose Open5GS logging during incident investigation to capture client pool state
How to Mitigate CVE-2026-8731
Immediate Actions Required
- Restrict network access to the Open5GS NRF SBI interface to trusted network functions only
- Place the NRF behind a service mesh or API gateway that enforces authentication and rate limiting
- Audit SBI client registrations and remove unauthorized or stale entries from the client_pool
- Track the Open5GS GitHub repository for upstream patches addressing Issue #4464
Patch Information
No official patch is available at the time of publication. The project maintainers were notified through GitHub Issue #4464 but have not responded. Operators running Open5GS 2.7.7 or earlier should monitor the repository for fixes and apply them as soon as they are released.
Workarounds
- Segment the 5G core control plane network so that only authorized network functions can reach the NRF
- Enforce mutual TLS authentication on all SBI endpoints to prevent unauthenticated client registration
- Apply rate limiting on SBI registration endpoints to reduce the impact of repeated ogs_sbi_client_add calls
- Deploy process supervision to automatically restart the NRF service if it terminates unexpectedly
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
