CVE-2026-10114
Out-of-Bounds Write in Open5GS Shared NF-Profile Parser
Publication date: 2026-05-30
Last updated on: 2026-05-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability CVE-2026-10114 is a buffer overflow issue in Open5GS, specifically in the shared NF-profile parser component within the function handle_scp_info in the file lib/sbi/nnrf-handler.c.
The problem arises because attacker-controlled SCP domain entries are copied into a fixed-size array without proper bounds checking, leading to an out-of-bounds write.
This memory corruption can cause a segmentation fault and crash affected network functions such as AMF, AUSF, BSF, NSSF, PCF, SMF, UDM, UDR, SCP, SEPP, and NRF.
The vulnerability can be triggered remotely by sending maliciously crafted NF-profile data, for example, an HTTP/2 request with excessive scpDomainInfoList entries to the NRF endpoint.
A patch has been released to fix this issue.
How can this vulnerability impact me? :
This vulnerability can cause memory corruption leading to a segmentation fault, which results in the crash of critical 5G core network functions.
Such crashes can disrupt network services provided by affected components like AMF, AUSF, BSF, NSSF, PCF, SMF, UDM, UDR, SCP, SEPP, and NRF.
Because the attack can be initiated remotely, it poses a risk of denial of service (DoS) against the 5G core network infrastructure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for segmentation faults (exit code 139) in affected Open5GS network functions such as AMF, AUSF, BSF, NSSF, PCF, SMF, UDM, UDR, SCP, SEPP, and NRF. The issue is triggered by processing maliciously crafted NF-profile data containing excessive scpDomainInfoList entries in HTTP/2 requests to the NRF endpoint.
To detect exploitation attempts, you can capture and analyze HTTP/2 traffic to the NRF endpoint for unusually large or malformed scpDomainInfoList entries.
While no specific commands are provided in the resources, general detection steps include:
- Check system logs for segmentation faults related to Open5GS processes (e.g., using `journalctl -xe` or `dmesg` on Linux).
- Use network packet capture tools like `tcpdump` or `wireshark` to monitor HTTP/2 traffic to the NRF endpoint for suspicious payloads.
- Use process monitoring commands such as `ps aux | grep open5gs` to check for unexpected process crashes or restarts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to deploy the patch that fixes the vulnerability in the Open5GS codebase. The issue has been fixed by adding proper bounds checking in the handle_scp_info() function to prevent out-of-bounds writes.
Until the patch can be applied, consider restricting or monitoring access to the NRF endpoint to prevent malicious HTTP/2 requests containing crafted NF-profile data.
Additionally, monitor the affected Open5GS network functions for crashes or abnormal behavior that could indicate exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-10114 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.