CVE-2026-10565 Overview
CVE-2026-10565 is a race condition vulnerability in Open5GS versions up to 2.7.6. The flaw resides in the gmm_state_security_mode function within src/amf/gmm-sm.c, part of the NGAP Handover component. Concurrent execution paths in the Access and Mobility Management Function (AMF) state machine can be triggered remotely, producing inconsistent state transitions. The exploit code has been published, but successful exploitation requires precise timing and authenticated low-privilege access. A pull request to remediate the issue is pending upstream acceptance.
Critical Impact
Remote attackers with low privileges can trigger a race condition in the Open5GS AMF, potentially degrading availability of 5G core network services through concurrent NGAP Handover message processing.
Affected Products
- Open5GS versions up to and including 2.7.6
- Open5GS AMF component (src/amf/gmm-sm.c)
- Deployments using NGAP Handover signaling
Discovery Timeline
- 2026-06-02 - CVE-2026-10565 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-10565
Vulnerability Analysis
The vulnerability is classified as a race condition [CWE-362] in the Open5GS AMF. The gmm_state_security_mode function in src/amf/gmm-sm.c handles 5G Mobility Management state transitions during NGAP-based handovers. Concurrent NGAP Security Mode Command (SMC) signaling can interleave with handover processing, producing inconsistent updates to shared state.
Attackers exploit this by sending concurrent N2 Security Mode signaling messages, demonstrated in the publicly released N2-SMC-Concurrent proof-of-concept. The resulting state corruption can disrupt the registration and security context of User Equipment (UE) connections.
The attack vector is network-based and exploit complexity is high. Successful exploitation requires authenticated low-privilege access to the network interface accepting NGAP traffic, which limits practical attackability outside compromised RAN or peer-NF environments.
Root Cause
The root cause is insufficient synchronization in the AMF GMM (5G Mobility Management) state machine. When two NGAP procedures touch the same UE context concurrently, the lack of atomicity in gmm_state_security_mode allows one path to observe or overwrite partially updated state from another, violating the expected handover and security mode sequence.
Attack Vector
An attacker with access to the N2 interface initiates parallel NGAP procedures targeting the same UE context during the security mode handshake. By racing concurrent Security Mode Command processing against an NGAP Handover transition, the attacker forces the AMF into an inconsistent GMM state. Refer to the Open5GS Pull Request #4501 and the N2-SMC-Concurrent Proof of Concept for technical details.
Detection Methods for CVE-2026-10565
Indicators of Compromise
- Concurrent NGAP Security Mode Command messages targeting the same UE identifier within short time windows
- Unexpected AMF state transition errors or assertions logged from gmm-sm.c
- Abnormal handover failure rates or repeated security mode renegotiations for a single subscriber
Detection Strategies
- Inspect AMF logs for warnings or errors emitted by the GMM state machine during handover and security mode procedures
- Monitor NGAP signaling on the N2 interface for duplicated or interleaved Security Mode Command exchanges per UE context
- Correlate UE registration anomalies with the source gNB to identify potentially malicious or misbehaving RAN nodes
Monitoring Recommendations
- Enable verbose AMF logging in non-production environments to baseline normal GMM transition sequences
- Deploy network telemetry on the N2 interface to capture NGAP message rates and identify timing anomalies
- Alert on repeated handover failures associated with a single gNB or subscriber identifier
How to Mitigate CVE-2026-10565
Immediate Actions Required
- Restrict N2 interface access to trusted gNB peers using network segmentation and IPsec where mandated by 3GPP
- Track the upstream remediation in Open5GS Pull Request #4501 and apply the patch once merged
- Audit AMF deployments for exposure to untrusted RAN or peer networks
Patch Information
The upstream fix is pending review in Open5GS Pull Request #4501. Refer to Open5GS Issue #4497 for the original report and VulDB CVE-2026-10565 for tracking. Operators should monitor the Open5GS Repository for a tagged release containing the merged fix.
Workarounds
- Limit NGAP exposure to authenticated, IPsec-protected gNB peers to reduce remote attack surface
- Apply rate limiting on N2 signaling to constrain attacker ability to interleave concurrent procedures
- Increase AMF logging verbosity to identify and isolate misbehaving RAN nodes triggering race conditions
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
