PatchSiren cyber security CVE debrief

CVE-2026-8123 Open5gs CVE debrief

CVE-2026-8123 is a low-severity but operationally relevant denial-of-service issue in Open5GS up to 2.7.7. According to the NVD record, the affected path is ogs_sbi_discovery_option_add_snssais in /lib/sbi/message.c within the NSSF component, and the issue can be triggered remotely. The record also notes that exploit details have been publicly disclosed and that the project was notified early via an issue report.

Vendor: Open5gs
Product: CVE-2026-8123
CVSS: LOW 2.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-08
Original CVE updated: 2026-05-11
Advisory published: 2026-05-08
Advisory updated: 2026-05-11

Who should care

Operators and maintainers running Open5GS versions 2.7.7 and earlier, especially deployments that expose the NSSF service or related SBI endpoints to untrusted networks. Security teams should also review environments where service disruption in Open5GS would affect subscriber signaling or orchestration workflows.

Technical summary

NVD lists CVE-2026-8123 as affecting Open5GS versions through 2.7.7 with a remote attack vector (AV:N) and a denial-of-service impact on availability (VA:L). The vulnerable function is ogs_sbi_discovery_option_add_snssais in /lib/sbi/message.c, under the NSSF component. NVD assigns CWE-404. The available source corpus indicates public exploit disclosure and issue-tracking context, but does not provide exploit mechanics here.

Defensive priority

Prioritize as a patch-and-monitor issue for any exposed Open5GS deployment; the CVSS score is low, but remote reachability and public exploit disclosure increase practical risk.

Recommended defensive actions

Inventory Open5GS deployments and confirm whether any instance is running version 2.7.7 or earlier.
Treat NSSF-facing systems as higher priority, especially if the SBI surface is reachable from untrusted networks.
Apply the vendor fix or upgrade to a version that is not listed as vulnerable once available.
If immediate patching is not possible, restrict network access to Open5GS management and SBI interfaces to trusted peers only.
Monitor Open5GS logs and service health for unexplained NSSF crashes or repeated availability disruptions.
Track the upstream Open5GS project and the referenced issue for remediation guidance and release notes.

Evidence notes

This debrief uses only the supplied NVD-derived source item and official reference links. Supported facts include: affected product Open5GS up to 2.7.7; vulnerable function ogs_sbi_discovery_option_add_snssais in /lib/sbi/message.c; NSSF component; remote denial-of-service impact; CVSS v4 vector with availability impact; CWE-404; and references to the Open5GS GitHub repository and issue 4436. The source description states the exploit has been publicly disclosed and that the project was informed early through an issue report.

Official resources

CVE-2026-8123 CVE record
CVE.org
CVE-2026-8123 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Product
Source reference
[email protected] - Exploit, Issue Tracking
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry, Exploit
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected] - Permissions Required, VDB Entry

The source corpus indicates a public exploit disclosure and an upstream issue report, but does not include exploit details. The issue was published on 2026-05-08 and later modified on 2026-05-11; those dates are used only as the CVE/source,