CVE-2026-14618
Received Received - Intake

Denial of Service in Open5GS

Vulnerability report for CVE-2026-14618, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: VulDB

Description

A vulnerability was detected in Open5GS up to 2.7.7. Affected by this vulnerability is the function amf_nnrf_handle_nf_discover of the file src/amf/nnrf-handler.c of the component AMF. The manipulation results in denial of service. The attack may be launched remotely. The exploit is now public and may be used. The patch is identified as fb5f67703de0213fb9c6e6ef3b48b6c1707e9503. It is best practice to apply a patch to resolve this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
open5gs open5gs to 2.7.7 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Open5GS up to version 2.7.7, specifically in the function amf_nnrf_handle_nf_discover within the AMF component. It occurs when a delayed Network Repository Function (NRF) discovery response is processed after the associated Radio Access Network User Equipment (RAN-UE) context has already been removed. The function attempts to access the RAN-UE context via ran_ue_find_by_id(), which returns NULL if the context is gone. However, the code asserts that this result must not be NULL, causing the AMF process to abort and crash.

This crash leads to a denial of service because the AMF component terminates unexpectedly, dropping all active user sessions until it restarts. The vulnerability can be triggered remotely and is related to handling stale or invalid RAN-UE contexts during NRF discovery responses.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition on the AMF component of Open5GS. When exploited, the AMF crashes and terminates all active user sessions, causing service disruption.

This means that users connected through the affected network may experience dropped connections and inability to access network services until the AMF is restarted and the issue is resolved.

Since the attack can be launched remotely, it poses a risk to network availability and reliability, especially in deployments without proper mitigations or patches applied.

Detection Guidance

This vulnerability causes the AMF component of Open5GS to crash due to an assertion failure when processing a delayed NRF Discovery response after the associated RAN-UE context has been removed. Detection can focus on monitoring for unexpected AMF process terminations or crashes.

You can detect this vulnerability by observing AMF crashes or service interruptions, especially following network events such as gNB disconnections or NRF discovery delays.

Suggested commands to detect this issue include:

  • Check AMF process status and recent crashes using system logs, e.g., `journalctl -u open5gs-amf` or `systemctl status open5gs-amf`.
  • Monitor Open5GS AMF logs for assertion failures or abort messages related to `amf_nnrf_handle_nf_discover`.
  • Use network packet capture tools like `tcpdump` or `wireshark` to observe NRF discovery requests and responses, looking for delayed or missing responses.
  • Check for abnormal SCTP connection terminations from gNBs, which may trigger the vulnerability.
Mitigation Strategies

The primary mitigation step is to apply the patch identified by commit fb5f67703de0213fb9c6e6ef3b48b6c1707e9503, which fixes the issue by adding defensive NULL checks and proper transaction cleanup in the AMF's NRF discovery handling code.

Until the patch is applied, it is recommended to monitor and limit conditions that can trigger the vulnerability, such as avoiding abrupt gNB disconnections and ensuring the NRF discovery responses are timely.

Additionally, enabling or ensuring the Service Communication Proxy (SCP) is active can help, as SCP discovery paths already include proper NULL handling and reduce the chance of this crash.

Restarting the AMF service after a crash can restore service temporarily, but this does not fix the underlying issue.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14618. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart