Executive Summary

CVE-2026-7601 is a vulnerability in the Open5GS software, specifically in the AMF (Access and Mobility Management Function) component. It arises from improper handling of the argument reg_type in the file src/amf/gmm-handler.c. When the AMF receives certain malformed or invalid registration requests, such as those with invalid registration_type values or placeholder 5G-GUTIs, it can lead to a denial of service (DoS) condition by causing the AMF to crash or become unresponsive.

The vulnerability can be triggered remotely by sending crafted messages that exploit the improper normalization and validation of registration_type values and 5G-GUTI placeholders. The root cause includes a reachable assertion failure during JSON conversion of UE context transfer request data, which causes the AMF to crash instead of handling the error gracefully.

A patch was introduced in Open5GS version 2.7.7 to normalize invalid registration_type values early in the processing, ignore placeholder 5G-GUTIs that do not represent valid contexts, and add assertions to validate fields before proceeding with UE context transfer. These changes improve robustness and prevent the denial of service.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service (DoS) on the Open5GS AMF component, which is a critical part of the 5G core network. An attacker can remotely trigger this by sending specially crafted registration requests with invalid or malformed parameters.

The impact includes the AMF crashing or becoming unresponsive, which disrupts the normal operation of the 5G core network functions such as user registration and mobility management. This can lead to service outages, degraded network availability, and interruption of connectivity for users relying on the affected network.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability in Open5GS AMF can be detected by monitoring for crashes or denial of service conditions triggered by malformed or invalid registration requests, specifically those involving invalid registration_type values or placeholder 5G-GUTIs.

Detection can involve checking logs for assertion failures or crashes related to the AMF component, especially around processing of InitialUEMessage NGAP messages containing RegistrationRequest with invalid or non-existent GUTIs.

While no specific commands are provided in the resources, typical detection steps might include:

• Review Open5GS AMF logs for error messages or crashes related to registration requests.
• Use network packet capture tools (e.g., tcpdump or Wireshark) to capture NGAP and NAS messages and filter for RegistrationRequest messages with unusual or invalid registration_type values or GUTIs.
• Example command to capture NGAP traffic on interface eth0: tcpdump -i eth0 -w ngap_capture.pcap port 38412
• Analyze captured packets for malformed NAS Registration Requests or invalid registration_type values.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation step is to upgrade Open5GS to version 2.7.7 or later, as this version includes the patch that addresses the vulnerability by normalizing invalid registration_type values and improving robustness against placeholder 5G-GUTIs.

Additional mitigation steps include:

• Apply the patch identified by commit ebc66942b6f8f1fab2d640e71cf4e9f1a423b426 if upgrading immediately is not possible.
• Monitor and filter incoming NGAP and NAS messages to detect and block malformed or suspicious registration requests that could trigger the vulnerability.
• Implement network-level protections such as firewalls or intrusion detection/prevention systems to limit exposure to potentially malicious traffic targeting the AMF.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not include any details on how the vulnerability in Open5GS affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0