CVE-2026-10157 Overview
CVE-2026-10157 is an improper authentication vulnerability in Open5GS through version 2.7.6. The flaw resides in the NGAP PathSwitchRequest message handler implemented in src/amf/ngap-handler.c within the Access and Mobility Management Function (AMF). A remote attacker can manipulate the message to bypass authentication checks, affecting the confidentiality, integrity, and availability of the 5G core network. The maintainers shipped a fix in commit a188e36b1741ffc2252133f59b1bda4f14d3cb5c. Public exploit details have been disclosed through VulDB.
Critical Impact
Remote attackers can exploit the NGAP PathSwitchRequest handler to bypass authentication in the Open5GS AMF, potentially disrupting subscriber sessions and mobility procedures within a 5G core network.
Affected Products
- Open5GS versions up to and including 2.7.6
- Open5GS AMF component (NGAP PathSwitchRequest Message Handler)
- Deployments using the vulnerable src/amf/ngap-handler.c code path
Discovery Timeline
- 2026-05-31 - CVE-2026-10157 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-10157
Vulnerability Analysis
The vulnerability is classified as Improper Authentication [CWE-287]. It affects the NGAP PathSwitchRequest message handler within the Open5GS AMF. NGAP (NG Application Protocol) is the signaling protocol between the 5G Radio Access Network (gNB) and the AMF in the 5G core. The PathSwitchRequest procedure is normally triggered after an Xn-based handover so the target gNB can request the AMF to switch the user plane path. Because the handler does not adequately validate the authentication state associated with the incoming request, an attacker reachable on the N2 interface can submit a crafted PathSwitchRequest message that the AMF processes without enforcing proper identity verification.
Root Cause
The root cause is missing or insufficient authentication validation logic in the PathSwitchRequest processing flow inside src/amf/ngap-handler.c. The handler accepts and acts upon NGAP message parameters before confirming that the request originates from an authenticated, authorized gNB context tied to the targeted UE. The upstream patch a188e36b1741ffc2252133f59b1bda4f14d3cb5c tightens these checks. See GitHub Pull Request #4557 and GitHub Issue #4393 for the maintainer discussion.
Attack Vector
Exploitation requires network reachability to the AMF's N2 (SCTP/NGAP) interface. An attacker with access to that interface can send a forged PathSwitchRequest message and influence AMF state without supplying valid authentication context. The vulnerability does not require user interaction or prior privileges, and the attack complexity is low. Refer to VulDB CVE-2026-10157 for additional exploitation context.
No verified proof-of-concept code is available. The vulnerability is described in prose because no validated exploitation artifact has been published in the referenced advisories.
Detection Methods for CVE-2026-10157
Indicators of Compromise
- Unexpected NGAP PathSwitchRequest messages from gNBs that have not initiated a corresponding handover procedure.
- AMF log entries showing PathSwitch processing for UE contexts without matching prior NGAP setup or handover signaling.
- Anomalous SCTP associations to the AMF N2 interface from previously unseen peer IPs or unauthorized network segments.
Detection Strategies
- Inspect AMF logs for high-frequency or out-of-sequence PathSwitchRequest events correlated with specific UE identifiers.
- Deploy NGAP-aware network monitoring on the N2 interface to flag malformed or unauthenticated PathSwitch flows.
- Correlate NGAP signaling with gNB inventory to identify rogue or spoofed RAN nodes initiating PathSwitch procedures.
Monitoring Recommendations
- Forward AMF and NGAP signaling logs to a centralized analytics pipeline for anomaly detection across handover events.
- Baseline normal PathSwitchRequest volume per gNB and alert on deviations exceeding the baseline.
- Restrict and monitor SCTP connectivity to the AMF, alerting on connections originating outside the authorized RAN segment.
How to Mitigate CVE-2026-10157
Immediate Actions Required
- Upgrade Open5GS to a release that includes commit a188e36b1741ffc2252133f59b1bda4f14d3cb5c or later.
- Audit network access to the AMF N2 (SCTP/NGAP) interface and restrict it to authorized gNBs only.
- Review historical AMF logs for evidence of unexpected PathSwitchRequest processing prior to patching.
Patch Information
The Open5GS project has merged a fix referenced by commit hash a188e36b1741ffc2252133f59b1bda4f14d3cb5c. Operators should pull the fixed source from the GitHub Open5GS Repository or upgrade to a packaged release that incorporates the change. See the GitHub Commit Details for the exact code modifications applied to src/amf/ngap-handler.c.
Workarounds
- Apply strict network segmentation so only trusted gNBs can reach the AMF N2 interface over SCTP.
- Enforce IPsec on the N2 interface as specified in 3GPP TS 33.501 to prevent unauthenticated peers from delivering NGAP messages.
- Disable or block external routing to the AMF management and signaling interfaces until the patch is deployed.
# Configuration example: restrict SCTP/NGAP access to the AMF using nftables
# Replace <AMF_IF>, <NGAP_PORT>, and <TRUSTED_GNB_SUBNET> with environment values
nft add table inet open5gs_amf
nft add chain inet open5gs_amf input { type filter hook input priority 0 \; policy drop \; }
nft add rule inet open5gs_amf input iifname "<AMF_IF>" ip saddr <TRUSTED_GNB_SUBNET> \
sctp dport <NGAP_PORT> accept
nft add rule inet open5gs_amf input iifname "<AMF_IF>" sctp dport <NGAP_PORT> log prefix "NGAP-DROP: " drop
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
