CVE-2026-10116
Denial of Service in Open5GS up to 2.7.7
Publication date: 2026-05-30
Last updated on: 2026-05-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Open5GS up to version 2.7.7, specifically in the function ogs_sbi_xact_add within the ue-authentications Endpoint component. It is caused by exhaustion of a finite timer pool due to stalled outbound Service-Based Interface (SBI) transactions when handling repeated bursts of POST requests to the authentication endpoint.
When a client resets HTTP/2 streams, the local stream and request objects are freed immediately, but the outbound transactions and their timers remain pending until timeout. Repeated bursts of such requests deplete the timer pool, causing allocation failures in ogs_sbi_xact_add, which leads to assertion aborts and crashes of the AUSF (Authentication Server Function) process.
The root cause is the default finite sizing of the timer pool, which is limited and can be exhausted by this attack pattern. The vulnerability can be exploited remotely by sending multiple bursts of authentication requests while keeping the UDM service unresponsive.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) by crashing the AUSF process in Open5GS. When exploited, the authentication server crashes due to timer pool exhaustion, making the 5G core network unable to process authentication requests.
As a result, legitimate users may be unable to authenticate and access network services, leading to service disruption and potential downtime in the mobile network infrastructure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for repeated bursts of POST requests to the endpoint `/nausf-auth/v1/ue-authentications` that cause crashes or abnormal behavior in the AUSF (Authentication Server Function) component of Open5GS.
Specifically, detection involves observing if the AUSF process crashes due to timer pool exhaustion triggered by stalled outbound SBI transactions to the UDM service.
While no explicit commands are provided in the resources, network administrators can use tools like curl or HTTP clients to simulate bursts of POST requests to `/nausf-auth/v1/ue-authentications` and monitor the AUSF logs or process stability.
- Use network monitoring tools to detect high volumes of POST requests to `/nausf-auth/v1/ue-authentications`.
- Check AUSF logs for assertion aborts or crashes related to `ogs_sbi_xact_add()` failures.
- Simulate repeated POST requests with a command like: `curl -X POST https://<open5gs-server>/nausf-auth/v1/ue-authentications -d '<payload>'` in bursts and observe system behavior.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation step is to apply the patch that fixes this vulnerability.
The patch introduces a mechanism to automatically cancel pending outbound SBI transactions when the associated inbound server stream or session is closed, preventing timer pool exhaustion and subsequent crashes.
Until the patch is applied, it is advisable to monitor and limit the rate of authentication requests to avoid exhausting the timer pool.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-10116 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.