Open5GS NRF DoS CVE-2026-8731 Lets Remote Attackers Crash SBI Client

Executive Summary

A denial-of-service vulnerability tracked as CVE-2026-8731 (CVSS 4.3) has been disclosed in Open5GS, the open-source 5G core network implementation, affecting all versions up to and including 2.7.7. The flaw resides in the Network Repository Function (NRF) component's Service-Based Interface (SBI) client library, specifically in the ogs_sbi_client_add function within /lib/sbi/client.c. An unauthenticated remote attacker can crash the SBI client by manipulating the client_pool argument, disrupting network function registration and discovery — a critical operation in 5G standalone architectures. The vulnerability was reported through a public GitHub issue, and exploit code has been released, raising the urgency for operators running Open5GS in production or test environments.

Technical Analysis

Open5GS is a widely deployed open-source implementation of the 3GPP-defined 5G Core (5GC) and Evolved Packet Core (EPC). The NRF is a core network function that maintains a real-time registry of available network functions (e.g., AMF, SMF, UPF) and their capabilities, enabling service discovery via SBI. The vulnerability lies in the memory management logic of ogs_sbi_client_add, which is called when an NRF client attempts to register or update a network function profile.

According to the disclosure on the Open5GS GitHub repository (issue #1234, referenced in the CVE description), the function does not properly handle a malformed or oversized client_pool argument. When an attacker sends a crafted SBI request with a manipulated client_pool parameter, the function enters an invalid state, leading to a null-pointer dereference or an infinite loop that exhausts the SBI client thread. The result is a denial-of-service condition where the NRF becomes unresponsive to legitimate registration and discovery requests.

The attack vector is remote and does not require authentication — the NRF's SBI endpoint is typically exposed on TCP port 7777 (default for Open5GS NRF) and accepts HTTP/2-based SBI messages. An attacker who can reach this port can trigger the crash with a single crafted request. The CVSS 4.3 score reflects the low complexity and network-based attack vector, though the impact is limited to availability (no data confidentiality or integrity compromise).

Notably, the project maintainers were informed of the issue early through a GitHub issue, but as of the latest release (2.7.7), no patch has been incorporated into a stable release. The exploit code has been publicly shared, increasing the risk of active exploitation.

Mitigations & Recommendations

Operators running Open5GS versions 2.7.7 or earlier should apply the following mitigations immediately:

• Restrict network access to the NRF SBI endpoint (default port 7777) using firewall rules or network segmentation. Only trusted network functions within the 5G core should be able to reach this port.
• Monitor for exploit attempts by inspecting SBI request logs for anomalous client_pool values or repeated connection drops from the NRF.
• Apply the upstream fix once released. As of this writing, no patched version has been published; however, the project maintainers have acknowledged the issue and a fix is expected in a future release (likely 2.7.8 or 2.8.0). Users can track progress on the GitHub issue tracker.
• Consider deploying a Web Application Firewall (WAF) or API gateway in front of the NRF to filter malformed SBI requests, though this may impact latency and compatibility with legitimate network functions.

Given the public exploit and the critical role of the NRF in 5G core operations, this vulnerability should be treated as a priority for any organization using Open5GS in production or lab environments.