CVE-2026-8186
Undergoing Analysis Undergoing Analysis - In Progress
Out-of-Bounds Read in Open5GS NF Component

Publication date: 2026-05-09

Last updated on: 2026-05-11

Assigner: VulDB

Description
A vulnerability was detected in Open5GS up to 2.7.7. This affects the function ogs_sbi_client_send_via_scp_or_sepp in the library lib/sbi/client.c of the component NF. Performing a manipulation results in out-of-bounds read. The attack is possible to be carried out remotely. The patch is named d5bc487fcf9ea87d2b03f2ef95123af344773bfb. It is suggested to install a patch to address this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-09
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-8186
EUVD
EUVD-2026-28912
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open5gs open5gs to 2.7.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-8186 vulnerability is a denial-of-service (DoS) issue in the Open5GS software, specifically in the Service-Based Interface (SBI) client URI handling.

The problem occurs when a callback URI lacks a path component (for example, using "http://host:port" instead of "http://host:port/path"). The function ogs_sbi_client_send_via_scp_or_sepp() calls ogs_sbi_getpath_from_uri() to extract the path but does not check if the extraction was successful.

If the URI has no path, ogs_sbi_getpath_from_uri() returns false with the path set to NULL, causing an assertion failure (ogs_assert(path)) that aborts the process. This leads to a remote denial-of-service attack against any SBI-based Network Function (NF).

The vulnerability affects Open5GS versions 2.7.5, 2.7.6, and 2.7.7 and was fixed by adding proper error handling to check the URI path extraction result and avoid aborting the process.

Impact Analysis

This vulnerability can be exploited remotely to cause a denial-of-service (DoS) condition in the Open5GS network functions that use the Service-Based Interface (SBI).

An attacker can send a malformed callback URI without a path component, triggering the vulnerable function to abort the process, which crashes the affected network function.

This results in service disruption or downtime for the affected 5G core network components, potentially impacting network availability and reliability.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or denial-of-service symptoms in the Open5GS Network Function (NF) components, especially those using the Service-Based Interface (SBI) client. The issue occurs when a callback URI without a path component is processed, causing the NF to abort.

To detect attempts to exploit this vulnerability, you can look for logs or error messages related to malformed URIs or assertion failures in the SBI client logs.

Specific commands are not provided in the resources, but general approaches include:

  • Checking Open5GS logs for errors related to URI parsing or assertion failures in the function ogs_sbi_client_send_via_scp_or_sepp.
  • Using network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze SBI traffic for URIs lacking path components.
  • Running Open5GS in a debug mode or with increased logging to capture detailed information about URI handling.
Mitigation Strategies

The immediate step to mitigate this vulnerability is to apply the patch identified by commit d5bc487fcf9ea87d2b03f2ef95123af344773bfb to your Open5GS installation.

This patch modifies the function ogs_sbi_client_send_via_scp_or_sepp() to properly handle URIs without path components by logging the error and returning false instead of aborting the process.

If patching immediately is not possible, consider monitoring and blocking malformed SBI callback URIs that lack path components to prevent triggering the denial-of-service condition.

Additionally, ensure your Open5GS version is updated beyond v2.7.7, as versions v2.7.5, v2.7.6, and v2.7.7 are affected.

Compliance Impact

The provided information does not include any details on how the CVE-2026-8186 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8186. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart