CVE-2026-10156
Resource Exhaustion in Open5GS via nf-info Pool Manipulation
Publication date: 2026-05-31
Last updated on: 2026-05-31
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-10156 is a vulnerability in Open5GS, specifically in the Network Repository Function (NRF) component. It occurs when the NRF processes an oversized amfInfoList payload in NFProfile objects, which leads to resource exhaustion of the NF-info pool.
The vulnerability can be triggered remotely either by sending a maliciously large amfInfoList via a PUT request to the nf-instances endpoint or indirectly through inter-PLMN discovery via a GET request where a malicious Home-NRF returns an oversized payload.
Because the NRF tries to allocate memory for each entry in the amfInfoList without properly validating or limiting its size, the fixed-size pool is exhausted, causing an assertion failure and a fatal crash of the NRF process.
This results in a denial-of-service condition where the NRF crashes instead of rejecting the large payload gracefully.
How can this vulnerability impact me? :
This vulnerability can lead to a denial-of-service (DoS) condition by crashing the Network Repository Function (NRF) component of Open5GS.
An attacker can remotely exploit this issue by sending a specially crafted request with an oversized amfInfoList, causing the NRF to exhaust its resources and crash.
The impact is that the affected network function becomes unavailable, potentially disrupting 5G core network operations that rely on the NRF for service discovery and registration.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or abnormal termination of the Open5GS Network Repository Function (NRF) process, which may exit with code 139 due to resource exhaustion caused by oversized amfInfoList payloads.
Detection can also involve inspecting network traffic for suspicious PUT requests to the endpoint /nnrf-nfm/v1/nf-instances/{nfInstanceId} containing unusually large amfInfoList fields, or GET requests to /nnrf-disc/v1/nf-instances that return oversized amfInfoList payloads.
Suggested commands to detect this issue include using network traffic capture tools like tcpdump or Wireshark to filter for these specific API calls and payload sizes.
- tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'amfInfoList'
- grep -r 'ogs_pool_alloc() failed' /var/log/open5gs/*
- journalctl -u open5gs-nrf.service | grep 'exit code 139'
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to apply the official patch or update Open5GS to a version where this vulnerability has been fixed.
Until the patch is applied, consider implementing network-level protections such as rate limiting or filtering to block or limit requests with abnormally large amfInfoList payloads targeting the NRF endpoints.
Monitoring the NRF logs for crashes and restarting the service promptly can help maintain availability.