Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

The CVE-2026-8120 vulnerability is a flaw in the Network Slice Selection Function (NSSF) component of Open5GS, specifically in the function nssf_nnrf_nsselection_handle_get_from_amf_or_vnssf. It occurs when the NSSF processes a specific HTTP/2 GET request to the endpoint `/nnssf-nsselection/v2/network-slice-information` that includes both `home-plmn-id` and `homeSnssai` parameters, but the local NSSF configuration lacks any configured serving PLMN IDs.

Due to an unconditional assertion in the code that expects at least one serving PLMN to be configured, the NSSF crashes (assertion failure) and terminates the process with exit code 139 instead of returning a proper HTTP error response. This crash leads to a denial of service condition.

The vulnerability can be exploited remotely by sending a malformed request with the specified parameters to a vulnerable NSSF instance that has no serving PLMN configured.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the NSSF component of Open5GS to crash and terminate unexpectedly when processing certain malformed requests. This results in a denial of service (DoS) condition.

An attacker can remotely trigger this crash by sending a specially crafted HTTP/2 GET request, causing service disruption in the affected network slice selection functionality.

Such a denial of service can impact the availability of network services relying on Open5GS, potentially affecting users and dependent systems.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or denial of service in the Open5GS NSSF component when it processes specific HTTP/2 GET requests.

Specifically, sending a crafted HTTP/2 GET request to the endpoint `/nnssf-nsselection/v2/network-slice-information` including both `home-plmn-id` and `homeSnssai` parameters to the NSSF service can trigger the vulnerability if the local NSSF configuration lacks any serving PLMN IDs.

To detect if your system is vulnerable, you can attempt to reproduce the crash by issuing a test HTTP/2 GET request with these parameters to the NSSF instance and observe if the process terminates unexpectedly (exit code 139).

Example command using curl with HTTP/2 support (assuming the NSSF service is running on localhost port 8000):

• curl --http2 -v "http://localhost:8000/nnssf-nsselection/v2/network-slice-information?home-plmn-id=00101&homeSnssai=1-10"

If the NSSF process crashes or the service becomes unavailable after this request, it indicates the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

An immediate mitigation step is to ensure that the NSSF configuration file (`nssf.yaml`) includes at least one serving PLMN ID in the serving block.

This prevents the assertion failure in the vulnerable function by guaranteeing that the NSSF has a valid serving PLMN configured before processing requests.

Additionally, you should monitor and restrict incoming HTTP/2 requests to the NSSF service, especially those targeting the `/nnssf-nsselection/v2/network-slice-information` endpoint with suspicious or malformed parameters.

Until an official patch or update is released by Open5GS, consider applying network-level protections such as firewall rules or API gateways to block or rate-limit such requests.

Useful 0 Not Useful 0