PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8186 Vuldb CVE debrief

CVE-2026-8186 was published on 2026-05-09 and describes a remotely reachable out-of-bounds read in Open5GS up to 2.7.7. The affected code path is ogs_sbi_client_send_via_scp_or_sepp in lib/sbi/client.c within the NF component. The supplied record ties remediation to upstream commit d5bc487fcf9ea87d2b03f2ef95123af344773bfb.

Vendor
Vuldb
Product
Unknown
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-09
Original CVE updated
2026-05-09
Advisory published
2026-05-09
Advisory updated
2026-05-09

Who should care

Operators and maintainers of Open5GS Network Function deployments, especially teams exposing SBI/client-facing interfaces over the network, plus SRE and security teams responsible for patching and change control.

Technical summary

The supplied NVD record describes an out-of-bounds read in ogs_sbi_client_send_via_scp_or_sepp within Open5GS's lib/sbi/client.c. The issue affects versions up to 2.7.7 and is remotely reachable. NVD metadata maps the weakness to CWE-119 and CWE-125 and provides a CVSS v4.0 vector of AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L, indicating a network-triggerable issue with low availability impact in the supplied scoring. The corpus also references upstream fix commit d5bc487fcf9ea87d2b03f2ef95123af344773bfb, along with the related Open5GS issue and pull request.

Defensive priority

High for internet- or partner-reachable Open5GS deployments; medium overall severity does not reduce urgency because the flaw is remotely triggerable with no privileges or user interaction. Prioritize patching or backporting before the affected service is exposed broadly.

Recommended defensive actions

  • Apply or backport the upstream fix commit d5bc487fcf9ea87d2b03f2ef95123af344773bfb into affected Open5GS builds.
  • Upgrade any Open5GS deployment at or below 2.7.7 to a release or package that includes the fix.
  • Restrict network exposure of SBI/NF interfaces until patching is complete, especially on externally reachable systems.
  • Rebuild containers and packages from updated source so the fix is present in every deployed image and artifact.
  • Monitor logs and service health for crashes or abnormal behavior in the SBI client path after remediation.

Evidence notes

All factual statements are grounded in the supplied CVE/NVD corpus: the CVE was published and modified on 2026-05-09, the NVD metadata lists the affected function, version range, CWE-119/CWE-125, and the CVSS v4.0 vector, and the referenced upstream GitHub commit/issue/PR point to remediation. The supplied corpus does not include the full text of the issue, pull request, or advisory, so this debrief avoids claims beyond the described out-of-bounds read and patch reference.

Official resources

Publicly disclosed in the CVE/NVD record on 2026-05-09. No Known Exploited Vulnerabilities (KEV) listing is indicated in the supplied data.