CVE-2026-8123
Open5GS NSSF Denial of Service Vulnerability
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include monitoring and restricting incoming requests to the NSSF component to prevent oversized `snssais` query parameters from reaching the service.
Implement network-level filtering or rate limiting to block or limit suspicious requests targeting the `/nnssf-nsselection/v2/network-slice-information` endpoint with unusually large `snssais` parameters.
Additionally, consider isolating or restarting the NSSF process promptly if a crash is detected to minimize service disruption.
Since the project has not yet responded with a fix, closely monitor the official Open5GS repository or issue tracker for patches or updates addressing this vulnerability.
Can you explain this vulnerability to me?
This vulnerability exists in Open5GS up to version 2.7.7, specifically in the Network Slice Selection Function (NSSF) component. It occurs in the function ogs_sbi_discovery_option_add_snssais within the library /lib/sbi/message.c. The issue arises when the system processes a GET request containing an oversized 'snssais' query parameter. Instead of handling the oversized input gracefully, the request parser triggers a fatal assertion due to exceeding the maximum allowed number of slice entries, causing the NSSF process to crash and terminate unexpectedly.
This crash results in a denial of service condition, and the attack can be initiated remotely by sending a specially crafted request. The vulnerability has been publicly disclosed and the project has not yet responded to the issue.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) condition. An attacker can remotely send a crafted request with an oversized 'snssais' parameter, causing the NSSF component of Open5GS to crash and terminate. This disrupts the normal operation of the network slice selection function, potentially leading to service interruptions or outages in systems relying on Open5GS for network slicing.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or abnormal terminations of the Open5GS NSSF process, especially when it processes GET requests to the endpoint `/nnssf-nsselection/v2/network-slice-information`.
Specifically, sending a crafted GET request with an oversized `snssais` query parameter exceeding the limit defined by `OGS_MAX_NUM_OF_SLICE` can trigger the vulnerability and cause the NSSF process to crash.
A detection command example using curl to test this could be:
- curl -v "http://<open5gs-nssf-ip>:<port>/nnssf-nsselection/v2/network-slice-information?snssais=<oversized_list>"
Where `<oversized_list>` is a list of SNSSAI entries exceeding the allowed maximum. Observing the NSSF process crash or exit code 139 after this request indicates the presence of the vulnerability.