Description
A vulnerability was found in Open5GS up to 2.7.7. This affects the function ogs_sbi_discovery_option_add_service_names in the library /lib/sbi/message.c of the component NSSF. The manipulation results in denial of service. The attack may be performed from remote. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Open5GS up to version 2.7.7 a flaw exists in the function ogs_sbi_discovery_option_add_service_names located in /lib/sbi/message.c of the NSSF component. By manipulating the input sent to this routine an attacker can cause the function to fail to release resources, leading to a denial of service. The vulnerability is classified under CWE‑404.

Affected Systems

The affected system is the Open5GS open5gs platform, specifically the NSSF service in all releases up to and including 2.7.7. Deployments of Open5GS using any of those versions are vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. Exploitation can be performed remotely and the exploit has been publicly released, so the risk of exploitation is real even though a formal EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog as of this analysis. The remote attack vector means that any externally reachable Open5GS deployment could be targeted without local access.

Generated by OpenCVE AI on May 8, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open5GS to a version newer than 2.7.7 once the vendor releases a patched build.
  • If an immediate upgrade is not possible, disable or block external access to the NSSF discovery service to prevent remote exploitation.
  • Add rate limiting and monitor for repeated service discovery attempts, then investigate any abnormal activity or service restarts.

Generated by OpenCVE AI on May 8, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 01:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Open5GS up to 2.7.7. This affects the function ogs_sbi_discovery_option_add_service_names in the library /lib/sbi/message.c of the component NSSF. The manipulation results in denial of service. The attack may be performed from remote. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Title Open5GS NSSF message.c ogs_sbi_discovery_option_add_service_names denial of service
First Time appeared Open5gs
Open5gs open5gs
Weaknesses CWE-404
CPEs cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*
Vendors & Products Open5gs
Open5gs open5gs
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Open5gs Open5gs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-08T00:45:09.870Z

Reserved: 2026-05-07T16:56:51.086Z

Link: CVE-2026-8122

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T01:16:10.053

Modified: 2026-05-08T01:16:10.053

Link: CVE-2026-8122

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T02:30:43Z

Weaknesses