CVE-2026-8744 Overview
CVE-2026-8744 is a denial of service vulnerability in Open5GS versions up to 2.7.7. The flaw resides in the ogs_sbi_subscription_data_add and ogs_sbi_nf_service_add functions within /lib/sbi/context.c, which are part of the Network Repository Function (NRF) component. An authenticated remote attacker can manipulate input to trigger improper resource handling [CWE-404], causing service disruption. The exploit has been publicly disclosed but is not listed in the CISA Known Exploited Vulnerabilities catalog. A fix is available in commit 819db11a08b9736a3576c4f99ceb28f7eb99523a.
Critical Impact
Remote attackers with low privileges can trigger denial of service conditions in Open5GS NRF, disrupting 5G Service-Based Interface (SBI) operations across the core network.
Affected Products
- Open5GS versions up to and including 2.7.7
- Open5GS NRF (Network Repository Function) component
- Open5GS SBI library (/lib/sbi/context.c)
Discovery Timeline
- 2026-05-17 - CVE-2026-8744 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-8744
Vulnerability Analysis
The vulnerability affects the Service-Based Interface (SBI) context management code in Open5GS, an open-source 5G core network implementation. The functions ogs_sbi_subscription_data_add and ogs_sbi_nf_service_add use ogs_assert() calls to validate memory pool allocations and string duplications. When the nf_service_pool is exhausted or ogs_strdup() fails, the assertion terminates the entire process rather than gracefully returning an error.
This design causes the NRF, which is the central service registry for 5G network functions, to crash under resource pressure. A remote attacker who can interact with the SBI endpoint can repeatedly trigger allocations that exhaust the pool, forcing process termination [CWE-404: Improper Resource Shutdown or Release].
Root Cause
The root cause is improper resource shutdown and error handling. The original code treats recoverable allocation failures as fatal conditions through ogs_assert(nf_service) and ogs_assert(nf_service->id) statements. Any condition that exhausts the pool or memory allocation triggers an assertion failure, aborting the NRF process.
Attack Vector
The attack vector is network-based and requires low privileges. An attacker with access to the SBI interface can send crafted NFProfile registration requests to exhaust the nf_service_pool or trigger string allocation failures, causing the NRF process to assert and terminate.
// Patch from lib/sbi/context.c - sbi: update NFProfile incrementally
ogs_assert(name);
ogs_pool_alloc(&nf_service_pool, &nf_service);
- ogs_assert(nf_service);
+ if (!nf_service) {
+ ogs_error("OVERFLOW nf_service_pool [pool:%llu]",
+ (unsigned long long)ogs_app()->pool.nf_service);
+ return NULL;
+ }
memset(nf_service, 0, sizeof(ogs_sbi_nf_service_t));
nf_service->id = ogs_strdup(id);
- ogs_assert(nf_service->id);
+ if (!nf_service->id) {
+ ogs_error("ogs_strdup() failed for nf_service->id");
+ ogs_pool_free(&nf_service_pool, nf_service);
+ return NULL;
+ }
nf_service->name = ogs_strdup(name);
- ogs_assert(nf_service->name);
+ if (!nf_service->name) {
+ ogs_error("ogs_strdup() failed for nf_service->name");
+ ogs_free(nf_service->id);
+ ogs_pool_free(&nf_service_pool, nf_service);
+ return NULL;
+ }
nf_service->scheme = scheme;
ogs_assert(nf_service->scheme);
Source: Open5GS Commit 819db11a
Detection Methods for CVE-2026-8744
Indicators of Compromise
- Unexpected NRF process termination or crash logs in Open5GS deployments
- Error messages containing OVERFLOW nf_service_pool after patching, indicating exploit attempts against the pool
- Repeated NFProfile registration requests from a single source over the SBI interface
- Sudden loss of service registration across multiple 5G network functions following NRF restart loops
Detection Strategies
- Monitor Open5GS logs for assertion failures referencing ogs_sbi_subscription_data_add or ogs_sbi_nf_service_add
- Track NRF process uptime and restart frequency through systemd or container orchestration logs
- Alert on abnormal volumes of NFRegister or NFUpdate requests reaching the SBI endpoint
Monitoring Recommendations
- Instrument Open5GS with structured logging and forward events to a centralized log analytics platform for correlation
- Establish baselines for nf_service_pool utilization and alert when usage approaches configured limits
- Apply network-layer access controls to restrict which peers can reach the NRF SBI port
How to Mitigate CVE-2026-8744
Immediate Actions Required
- Upgrade Open5GS to a version that includes commit 819db11a08b9736a3576c4f99ceb28f7eb99523a or later
- Restrict network access to the NRF SBI interface to trusted 5G core network functions only
- Audit existing deployments running Open5GS 2.7.7 or earlier and prioritize patching
Patch Information
The vendor has released a fix in commit 819db11a08b9736a3576c4f99ceb28f7eb99523a, merged via Pull Request #4534. The patch replaces fatal ogs_assert() calls with proper error handling that logs the failure, releases partially allocated resources, and returns NULL to the caller. Operators should rebuild Open5GS from the patched source and redeploy the NRF and related SBI components.
Workarounds
- Apply firewall rules or service mesh policies to limit SBI access to authenticated 5G network functions
- Increase the nf_service_pool size in Open5GS configuration to raise the threshold for resource exhaustion as a temporary measure
- Deploy process supervisors that automatically restart the NRF on crash to reduce service disruption while a patch is being prepared
# Build and deploy the patched Open5GS from source
git clone https://github.com/open5gs/open5gs.git
cd open5gs
git checkout 819db11a08b9736a3576c4f99ceb28f7eb99523a
meson build --prefix=/usr/local
ninja -C build
sudo ninja -C build install
sudo systemctl restart open5gs-nrfd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
