CVE-2026-7535
Denial of Service in Open5GS via UE Context Transfer
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) by crashing the AMF component of Open5GS when it processes a specially crafted request with an invalid `ueContextId`.
As the AMF is a critical component in managing mobility and access in 5G networks, its crash can disrupt network services, potentially leading to service outages or degraded network performance.
Since the attack can be initiated remotely without authentication, it increases the risk of exploitation by attackers aiming to disrupt network availability.
Can you explain this vulnerability to me?
CVE-2026-7535 is a vulnerability in Open5GS version 2.7.7 affecting the Access and Mobility Management Function (AMF). It occurs in the function handling registration status update requests when processing a POST request to the endpoint `/namf-comm/v1/ue-contexts/{ueContextId}/transfer-update`.
The vulnerability arises because when the system receives a request with an unknown or invalid `ueContextId`, it attempts to find the corresponding user equipment context but fails. Instead of properly handling this failure by returning an HTTP error, the code dereferences a NULL pointer, causing a segmentation fault and crashing the AMF process.
This flaw can be exploited remotely by sending a crafted HTTP/2 request with an invalid `ueContextId`, leading to a denial of service by crashing the AMF component.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or segmentation faults in the Open5GS AMF process when it handles requests to the endpoint `/namf-comm/v1/ue-contexts/{ueContextId}/transfer-update`.
A practical detection method is to send a crafted HTTP/2 POST request with an invalid or unknown `ueContextId` to the vulnerable endpoint and observe if the AMF process crashes instead of returning a proper HTTP error response.
For example, you can use curl with HTTP/2 support to test the endpoint:
- curl -X POST --http2 https://<open5gs-amf-ip>:<port>/namf-comm/v1/ue-contexts/invalid-ueContextId/transfer-update
If the AMF crashes or the service becomes unavailable after this request, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the Namf_Communication SBI interface to trusted sources only, such as internal networks or authenticated clients, to prevent remote attackers from sending crafted requests.
Additionally, monitor the AMF process for crashes and implement process supervision or automatic restarts to reduce downtime.
Since the project has not yet responded with a patch, consider applying custom patches or workarounds if available, or temporarily disabling the vulnerable service if feasible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.