Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-10115 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

The vulnerability CVE-2026-10115 exists in Open5GS up to version 2.7.7, specifically in the shared NF-profile parser located in the file lib/sbi/nnrf-handler.c. It occurs when the parser processes an oversized list of DNN entries within the smfInfo.sNssaiSmfInfoList[*].dnnSmfInfoList. The parser does not properly validate the length of this list, allowing an attacker to send a maliciously crafted NF-profile payload containing more DNN entries than the fixed-size buffer can handle.

This improper input validation causes an assertion failure (dnn_index < OGS_MAX_NUM_OF_DNN) leading to a crash of the process with exit code 139, resulting in a denial-of-service (DoS) condition. Multiple network functions that share this parser, including NRF, AMF, AUSF, BSF, NSSF, PCF, SMF, UDM, and UDR, are affected by this issue.

The vulnerability can be exploited remotely by sending a crafted NF-profile with excessive DNN entries, causing the targeted process to crash.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) condition in Open5GS network functions that rely on the shared NF-profile parser. An attacker can remotely crash critical network components such as NRF, AMF, AUSF, BSF, NSSF, PCF, SMF, UDM, and UDR by sending malicious NF-profile payloads with oversized DNN lists.

The impact is that these network functions will terminate unexpectedly, disrupting the availability and reliability of the affected 5G core network services.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or abnormal termination of Open5GS network functions such as NRF, AMF, SMF, and others that share the NF-profile parser. Specifically, look for process crashes with exit code 139 or SIGABRT signals related to the handling of NF-profile payloads.

Detection can involve capturing and analyzing NF-profile registration messages to identify oversized lists, particularly the smfInfo.sNssaiSmfInfoList[*].dnnSmfInfoList entries exceeding the allowed size (more than 16 entries).

Suggested commands include:

• Use system logs or journalctl to check for crashes: `journalctl -u open5gs-nrf -e` or `journalctl -xe` to find SIGABRT or exit code 139 events.
• Use network packet capture tools like tcpdump or Wireshark to capture SBA (Service-Based Architecture) traffic and inspect NF-profile registration messages for oversized inner lists.
• Example tcpdump command to capture relevant traffic: `tcpdump -i <interface> -w capture.pcap port 80 or port 443` (adjust ports as per SBA configuration).
• Analyze captured packets with Wireshark or custom scripts to parse NF-profile payloads and count the number of entries in dnnSmfInfoList or tacRangeList.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to apply the patch or update Open5GS to a version where this vulnerability is fixed.

The fix involves adding pre-validation in the NRF registration path to reject oversized NF-profile inner lists with HTTP 400 Bad Request responses before processing, preventing the denial-of-service condition.

Additionally, the parser has been improved to gracefully handle oversized lists by capping and breaking loops instead of crashing, maintaining service availability.

Until the patch is applied, consider monitoring and blocking suspicious NF-profile registration messages with unusually large inner lists to reduce the risk of exploitation.

Useful 0 Not Useful 0