PatchSiren cyber security CVE debrief

CVE-2026-8746 Open5gs CVE debrief

CVE-2026-8746 describes a remote use-after-free affecting Open5GS up to version 2.7.7 in the NRF component’s discover_handler function. The record rates the issue as low severity, but it is network-exposed and potentially relevant for any deployment that exposes Open5GS SBI/NRF services. The source description also says a public exploit has been released and that the project was informed early via an issue report, with no response noted at publication time.

Vendor: Open5gs
Product: Unknown
CVSS: LOW 2.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-17
Original CVE updated: 2026-05-18
Advisory published: 2026-05-17
Advisory updated: 2026-05-18

Who should care

Open5GS operators and maintainers, especially teams running exposed NRF/SBI services or any deployment still on versions up to 2.7.7.

Technical summary

The source record identifies a use-after-free in /lib/sbi/nghttp2-server.c, specifically the discover_handler function in Open5GS’s NRF component. The CNA-provided weakness mapping lists CWE-119 and CWE-416. The CVSS v4 vector indicates a network attack path with low privileges, no user interaction, and low availability impact, with no direct confidentiality or integrity impact recorded in the vector. The issue is described as remotely reachable.

Defensive priority

Moderate. The CVSS score is low, but the component is network-facing and the source description indicates a public exploit exists. Exposure matters more than score here, particularly for internet-reachable or broadly reachable NRF services.

Recommended defensive actions

Inventory Open5GS deployments and confirm whether any instance is running version 2.7.7 or earlier.
Reduce exposure of NRF/SBI endpoints where possible until a vendor fix or upstream patch is available.
Monitor for crashes or abnormal NRF behavior tied to discover_handler or nghttp2-server.c.
Track the upstream Open5GS repository and the referenced issue report for a fixed release or maintainer guidance.
Apply the first safe upstream or vendor patch as soon as it is published, then retest service stability.
If immediate patching is not possible, add compensating controls such as network restrictions and service monitoring around NRF traffic.

Evidence notes

This debrief is based only on the supplied NVD/CNA record and the linked references in the source corpus. The record names Open5GS, identifies the affected component as NRF, and cites discover_handler in /lib/sbi/nghttp2-server.c. It also states the issue affects versions up to 2.7.7, that the manipulation results in use-after-free, that remote attack is possible, and that a public exploit has been released. The source record includes a referenced GitHub issue report and the Open5GS repository, but no fixed version is provided in the supplied corpus.

Official resources

CVE-2026-8746 CVE record
CVE.org
CVE-2026-8746 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Product
Source reference
[email protected] - Exploit, Issue Tracking
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected] - Permissions Required, VDB Entry

CVE published: 2026-05-17T11:16:35.110Z. The supplied source record shows the same timestamp for publication and modification and lists NVD vulnStatus as "Received" at that time. No fix version or formal vendor response is included in the 0