CVE-2026-7535
Received Received - Intake
Denial of Service in Open5GS via UE Context Transfer

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: VulDB

Description
A vulnerability was found in Open5GS up to 2.7.7. This affects the function amf_namf_comm_handle_registration_status_update_request in the library /lib/app/ogs-init.c of the file /namf-comm/v1/ue-contexts/{ueContextId}/transfer-update. Performing a manipulation of the argument ueContextId results in denial of service. The attack can be initiated remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7535
EUVD
EUVD-2026-26468
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open5gs open5gs to 2.7.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can cause a denial of service (DoS) by crashing the AMF component of Open5GS when it processes a specially crafted request with an invalid `ueContextId`.

As the AMF is a critical component in managing mobility and access in 5G networks, its crash can disrupt network services, potentially leading to service outages or degraded network performance.

Since the attack can be initiated remotely without authentication, it increases the risk of exploitation by attackers aiming to disrupt network availability.

Executive Summary

CVE-2026-7535 is a vulnerability in Open5GS version 2.7.7 affecting the Access and Mobility Management Function (AMF). It occurs in the function handling registration status update requests when processing a POST request to the endpoint `/namf-comm/v1/ue-contexts/{ueContextId}/transfer-update`.

The vulnerability arises because when the system receives a request with an unknown or invalid `ueContextId`, it attempts to find the corresponding user equipment context but fails. Instead of properly handling this failure by returning an HTTP error, the code dereferences a NULL pointer, causing a segmentation fault and crashing the AMF process.

This flaw can be exploited remotely by sending a crafted HTTP/2 request with an invalid `ueContextId`, leading to a denial of service by crashing the AMF component.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or segmentation faults in the Open5GS AMF process when it handles requests to the endpoint `/namf-comm/v1/ue-contexts/{ueContextId}/transfer-update`.

A practical detection method is to send a crafted HTTP/2 POST request with an invalid or unknown `ueContextId` to the vulnerable endpoint and observe if the AMF process crashes instead of returning a proper HTTP error response.

For example, you can use curl with HTTP/2 support to test the endpoint:

  • curl -X POST --http2 https://<open5gs-amf-ip>:<port>/namf-comm/v1/ue-contexts/invalid-ueContextId/transfer-update

If the AMF crashes or the service becomes unavailable after this request, it indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting access to the Namf_Communication SBI interface to trusted sources only, such as internal networks or authenticated clients, to prevent remote attackers from sending crafted requests.

Additionally, monitor the AMF process for crashes and implement process supervision or automatic restarts to reduce downtime.

Since the project has not yet responded with a patch, consider applying custom patches or workarounds if available, or temporarily disabling the vulnerable service if feasible.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7535. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart