CVE-2026-8746 Overview
CVE-2026-8746 is a use-after-free vulnerability in Open5GS through version 2.7.7. The flaw resides in the discover_handler function within /lib/sbi/nghttp2-server.c, part of the Network Repository Function (NRF) component. An authenticated remote attacker can trigger the freed memory access over the network, leading to undefined behavior in the affected service. The exploit has been disclosed publicly, increasing the likelihood of opportunistic attempts against exposed 5G core deployments. The Open5GS maintainers were notified through a public issue report but had not responded at the time of disclosure.
Critical Impact
Remote, low-privileged attackers can trigger memory corruption in the Open5GS NRF service, potentially affecting availability of 5G core signaling.
Affected Products
- Open5GS versions up to and including 2.7.7
- Open5GS NRF component (/lib/sbi/nghttp2-server.c)
- Deployments exposing the Service-Based Interface (SBI) endpoints
Discovery Timeline
- 2026-05-17 - CVE-2026-8746 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-8746
Vulnerability Analysis
The vulnerability resides in the discover_handler function of the Open5GS NRF library, specifically in /lib/sbi/nghttp2-server.c. The NRF is a core 5G Service-Based Architecture component that handles service discovery requests from other Network Functions (NFs) over HTTP/2. The defect is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer), with the specific weakness being a use-after-free condition. When the handler processes certain discovery requests, it accesses memory that has already been released, producing unpredictable behavior in the running NRF process.
Exploitation occurs over the network and requires low privileges, with no user interaction. The released proof-of-concept information lowers the technical barrier for adversaries seeking to disrupt 5G core signaling paths. The EPSS probability is approximately 0.044% (13.4th percentile), reflecting limited observed exploitation activity at this time.
Root Cause
The root cause is the dereference of a pointer to memory that has been freed earlier in the request-handling flow within discover_handler. The nghttp2 server callback path does not enforce sufficient lifetime guarantees on the structures referenced during asynchronous HTTP/2 stream processing.
Attack Vector
An attacker with network reach to the NRF service and a valid low-privilege context on the SBI can send crafted HTTP/2 discovery requests that drive the handler into the use-after-free state. No verified public exploitation code is referenced in this advisory beyond the disclosure on the project tracker. See GitHub Issue #4476 for the original report.
Detection Methods for CVE-2026-8746
Indicators of Compromise
- Unexpected crashes, restarts, or segmentation faults in the Open5GS NRF process
- Anomalous HTTP/2 traffic patterns targeting NRF service discovery endpoints
- Repeated malformed or unusually structured nnrf-disc requests from a single peer
Detection Strategies
- Monitor NRF process health and core dumps for evidence of memory corruption during request handling
- Inspect SBI traffic for HTTP/2 streams that trigger abnormal handler behavior or short-lived sessions
- Correlate NF discovery request volumes against baseline traffic from authorized network functions
Monitoring Recommendations
- Enable verbose logging on the NRF component and forward logs to a centralized analytics platform
- Track unique source identities issuing discovery requests and alert on unauthorized or unexpected NF identifiers
- Set service-level alerts for NRF restarts, latency spikes, and HTTP/2 stream resets
How to Mitigate CVE-2026-8746
Immediate Actions Required
- Restrict network access to the Open5GS NRF SBI endpoints to authorized Network Functions only
- Apply strict mutual TLS authentication on the SBI to prevent unauthenticated peers from reaching discover_handler
- Increase monitoring of NRF availability and process stability while a vendor fix is pending
Patch Information
At the time of disclosure, no official patch has been released by the Open5GS project. Track the upstream repository at GitHub Open5GS Repository and the issue tracker at GitHub Issue #4476 for fix availability. Refer to the advisory entry on VulDB Vulnerability #364333 for ongoing tracking.
Workarounds
- Place the NRF behind a network policy that allows only known internal NF service meshes
- Use a reverse proxy or service mesh that validates HTTP/2 framing before traffic reaches the NRF
- Rate-limit discovery requests per source identity to reduce exposure to repeated exploitation attempts
# Example: restrict NRF SBI exposure with host-level firewall rules
iptables -A INPUT -p tcp --dport 7777 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
