Executive Summary

CVE-2026-8119 is a vulnerability in the Open5GS project affecting the Network Slice Selection Function (NSSF) component. Specifically, it occurs in the function ogs_sbi_stream_find_by_id within the /lib/sbi/nghttp2-server.c library. The issue arises when the NSSF processes a delayed response from a Home-NSSF after the original client has disconnected. The NSSF tries to find the original stream by ID, but if the stream is no longer available, the code incorrectly assumes the stream pointer is valid and crashes. This causes the NSSF process to exit unexpectedly, resulting in a denial of service.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service (DoS) in the Open5GS NSSF component. An attacker with local access can trigger the vulnerability by sending a request with a short timeout, causing the client to disconnect before the Home-NSSF response arrives. When the delayed response is processed, the NSSF crashes due to improper handling of a NULL stream pointer, causing the NSSF container to exit with a fatal error. This disrupts the network slice selection functionality, potentially impacting the availability of the 5G core network services.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or abnormal exits of the NSSF component in Open5GS, specifically looking for the NSSF container exiting with status code 139.

Since the vulnerability is triggered when the NSSF attempts to process a delayed response after the client disconnects, you can simulate this by sending a request to the GET /nnssf-nsselection/v2/network-slice-information endpoint with a short timeout and then disconnecting the client before the response arrives.

Commands to detect the issue could include checking the NSSF process status and logs for crashes, for example:

• Use system commands like `ps aux | grep nssf` to check if the NSSF process is running.
• Check container or system logs for exit status 139 or fatal errors related to ogs_sbi_stream_find_by_id, e.g., `journalctl -u open5gs-nssf` or `docker logs <nssf_container>`.
• Use curl or similar tools to send a request with a short timeout to the vulnerable endpoint: `curl --max-time 1 http://<nssf-ip>:<port>/nnssf-nsselection/v2/network-slice-information` and then disconnect before the response.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include limiting local access to the NSSF component since the attack requires local access.

Monitor the NSSF process for crashes and implement automated restarts to reduce downtime.

Avoid sending requests that could trigger the vulnerability, such as those with short timeouts that cause client disconnections before the Home-NSSF response arrives.

Since the project has not yet responded with a patch, consider applying custom patches or workarounds if available, or isolate the vulnerable component until a fix is released.

Useful 0 Not Useful 0