CVE-2026-10156
Deferred Deferred - Pending Action
Resource Exhaustion in Open5GS via nf-info Pool Manipulation

Publication date: 2026-05-31

Last updated on: 2026-05-31

Assigner: VulDB

Description
A vulnerability was determined in Open5GS up to 2.7.7. This affects the function handle_amf_info in the library /lib/sbi/nnrf-handler.c of the component nf-instances Endpoint. Executing a manipulation of the argument nf_info_pool can lead to resource consumption. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. Applying a patch is advised to resolve this issue. The issue report is flagged as already-fixed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-31
Last Modified
2026-05-31
Generated
2026-06-20
AI Q&A
2026-05-31
EPSS Evaluated
2026-06-19
NVD
CVE-2026-10156
EUVD
EUVD-2026-33472
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open5gs open5gs to 2.7.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-10156 is a vulnerability in Open5GS, specifically in the Network Repository Function (NRF) component. It occurs when the NRF processes an oversized amfInfoList payload in NFProfile objects, which leads to resource exhaustion of the NF-info pool.

The vulnerability can be triggered remotely either by sending a maliciously large amfInfoList via a PUT request to the nf-instances endpoint or indirectly through inter-PLMN discovery via a GET request where a malicious Home-NRF returns an oversized payload.

Because the NRF tries to allocate memory for each entry in the amfInfoList without properly validating or limiting its size, the fixed-size pool is exhausted, causing an assertion failure and a fatal crash of the NRF process.

This results in a denial-of-service condition where the NRF crashes instead of rejecting the large payload gracefully.

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) condition by crashing the Network Repository Function (NRF) component of Open5GS.

An attacker can remotely exploit this issue by sending a specially crafted request with an oversized amfInfoList, causing the NRF to exhaust its resources and crash.

The impact is that the affected network function becomes unavailable, potentially disrupting 5G core network operations that rely on the NRF for service discovery and registration.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or abnormal termination of the Open5GS Network Repository Function (NRF) process, which may exit with code 139 due to resource exhaustion caused by oversized amfInfoList payloads.

Detection can also involve inspecting network traffic for suspicious PUT requests to the endpoint /nnrf-nfm/v1/nf-instances/{nfInstanceId} containing unusually large amfInfoList fields, or GET requests to /nnrf-disc/v1/nf-instances that return oversized amfInfoList payloads.

Suggested commands to detect this issue include using network traffic capture tools like tcpdump or Wireshark to filter for these specific API calls and payload sizes.

  • tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'amfInfoList'
  • grep -r 'ogs_pool_alloc() failed' /var/log/open5gs/*
  • journalctl -u open5gs-nrf.service | grep 'exit code 139'
Mitigation Strategies

The primary mitigation step is to apply the official patch or update Open5GS to a version where this vulnerability has been fixed.

Until the patch is applied, consider implementing network-level protections such as rate limiting or filtering to block or limit requests with abnormally large amfInfoList payloads targeting the NRF endpoints.

Monitoring the NRF logs for crashes and restarting the service promptly can help maintain availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10156. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart