CVE-2026-10116 Overview
CVE-2026-10116 affects Open5GS versions up to 2.7.7, an open-source implementation of 5G Core and EPC network functions. The flaw resides in the ogs_sbi_xact_add function within /lib/core/ogs-timer.c, reachable through the ue-authentications endpoint. An authenticated remote attacker can manipulate requests to trigger a denial-of-service condition in the affected service. The vulnerability is categorized under [CWE-404] (Improper Resource Shutdown or Release). Public exploit code has been released, increasing the risk of opportunistic abuse against exposed Open5GS deployments.
Critical Impact
Remote attackers can disrupt 5G core network authentication services by exploiting improper resource handling in the Open5GS Service-Based Interface (SBI) transaction layer.
Affected Products
- Open5GS versions up to and including 2.7.7
- Component: /lib/core/ogs-timer.c (ogs-core library)
- Endpoint: ue-authentications (UE Authentication Function interface)
Discovery Timeline
- 2026-05-30 - CVE-2026-10116 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-10116
Vulnerability Analysis
The vulnerability resides in the ogs_sbi_xact_add function inside the Open5GS core timer library at /lib/core/ogs-timer.c. This function is responsible for adding Service-Based Interface (SBI) transactions to the internal tracking structures used by 5G core network functions. The flaw is exposed through the ue-authentications endpoint, which handles User Equipment (UE) authentication procedures within the 5G core. When an attacker crafts specific request sequences against this endpoint, the function fails to properly release or manage allocated resources, leading to a denial-of-service condition. Service disruption in the authentication path can prevent legitimate UE registration and session establishment across the affected 5G network.
Root Cause
The root cause is classified as [CWE-404] Improper Resource Shutdown or Release. The ogs_sbi_xact_add routine does not correctly handle transaction lifecycle state under attacker-controlled input, leaving resources in an inconsistent state. Repeated invocation through the ue-authentications endpoint amplifies the impact and degrades availability of the SBI subsystem.
Attack Vector
The attack is network-based and requires low privileges with no user interaction. An attacker with access to the SBI interface can send crafted requests targeting ue-authentications to trigger the resource handling flaw. Because Open5GS deployments often expose SBI endpoints across internal lab, research, or private 5G environments, remote reachability is realistic. The vulnerability impacts availability only; confidentiality and integrity remain unaffected based on the CVSS vector.
No verified proof-of-concept code is included in this advisory. Technical details are available in the upstream GitHub Issue #4473 and the corresponding fix in Pull Request #4578.
Detection Methods for CVE-2026-10116
Indicators of Compromise
- Unexpected termination, hangs, or restart loops of Open5GS network function processes (AUSF, AMF, UDM) handling SBI traffic.
- Spikes in HTTP/2 requests directed at the ue-authentications path on SBI listeners.
- Sudden growth in failed UE authentication transactions or stalled SBI transaction queues.
Detection Strategies
- Inspect Open5GS logs for repeated ogs_sbi_xact_add invocations followed by transaction timeout errors or assertion failures.
- Monitor network function memory and file-descriptor consumption for sustained upward trends correlating with SBI request volume.
- Compare deployed Open5GS binaries against version 2.7.7 or older to identify exposed instances pending remediation.
Monitoring Recommendations
- Enable verbose logging on AUSF/AMF components and forward to a centralized log platform for correlation against SBI request patterns.
- Track health and restart counters of containerized Open5GS workloads to detect repeated crash-restart cycles indicative of DoS attempts.
- Restrict SBI endpoints to trusted management networks and audit access using flow records or service mesh telemetry.
How to Mitigate CVE-2026-10116
Immediate Actions Required
- Upgrade Open5GS to a version newer than 2.7.7 that includes the fix merged via Pull Request #4578.
- Restrict network reachability of the ue-authentications endpoint to authorized 5G core peers using firewall rules or service mesh policies.
- Enforce mutual TLS and authentication on SBI interfaces to limit which clients can submit authentication transactions.
Patch Information
The upstream Open5GS project has released a patch addressing the resource handling flaw in ogs_sbi_xact_add. Operators should track the Open5GS repository and apply the merged fix from Pull Request #4578. Rebuild and redeploy affected network functions after applying the update, then verify normal SBI transaction handling under load.
Workarounds
- Place a reverse proxy or API gateway in front of SBI endpoints to enforce rate limiting on requests to ue-authentications.
- Segment the SBI network so only authorized 5G core network functions can reach the AUSF and related authentication services.
- Implement automated process supervision to restart Open5GS network functions and alert operators when crash loops are detected.
# Example: restrict SBI endpoint to trusted peers using iptables
iptables -A INPUT -p tcp --dport 7777 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP
# Example: rate-limit ue-authentications requests via nginx reverse proxy
# in nginx.conf:
# limit_req_zone $binary_remote_addr zone=sbi:10m rate=20r/s;
# location /nausf-auth/v1/ue-authentications {
# limit_req zone=sbi burst=10 nodelay;
# proxy_pass http://open5gs_ausf;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
