MEDIUM 4.3

CVE-2026-10116: Open5GS UE Authentication Denial-of-Service Vulnerability

A vulnerability in Open5GS, a popular open-source 5G core network implementation, allows authenticated users to trigger a denial-of-service condition by manipulating the UE authentication endpoint. The flaw resides in timer transaction handling code and can be exploited remotely by anyone with legitimate access to the authentication service. Public exploit code is available, increasing the practical risk of abuse.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-404
Affected products
0 configuration(s)
Published / Modified
2026-05-30 / 2026-06-17

NVD description (verbatim)

A security flaw has been discovered in Open5GS up to 2.7.7. This vulnerability affects the function ogs_sbi_xact_add in the library /lib/core/ogs-timer.c of the component ue-authentications Endpoint. Performing a manipulation results in denial of service. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. Applying a patch is the recommended action to fix this issue.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10116 is a denial-of-service vulnerability in Open5GS versions up to 2.7.7, stemming from improper resource handling in the ogs_sbi_xact_add function within /lib/core/ogs-timer.c. The vulnerability affects the ue-authentications endpoint and is classified under CWE-404 (Uninitialized Variable). The flaw allows an authenticated attacker to manipulate transaction state, causing the service to become unresponsive. The CVSS 3.1 score of 4.3 (MEDIUM) reflects the network-accessible attack vector, low attack complexity, and requirement for authenticated access, with impact limited to availability.

Business impact

Exploitation of this vulnerability can disrupt 5G authentication services, preventing legitimate user authentication and registration on affected networks. While not directly exposing confidential data or enabling privilege escalation, sustained denial-of-service attacks could degrade network availability and user experience. Organizations relying on Open5GS for non-critical test or secondary networks face the most immediate operational risk, though any production deployment warrants prompt attention given the availability of public exploit code.

Affected systems

Open5GS versions through 2.7.7 are affected. This vulnerability impacts deployments of the open-source 5G core network software used in research, testing, and production environments. Organizations should identify all instances of Open5GS in their infrastructure and verify installed version numbers against the affected range.

Exploitability

The vulnerability requires authenticated access to the UE authentication endpoint, which moderates overall exploitability in internet-facing scenarios but significantly increases risk in internal networks or test environments where authentication credentials may be less strictly controlled. Public exploit code availability lowers the barrier to weaponization. Remote exploitation is feasible without user interaction, making it a practical concern for environments with permissive network access controls.

Remediation

Organizations should upgrade Open5GS to a patched version beyond 2.7.7. Verify the specific patch version against the official Open5GS project advisories and release notes to confirm vulnerability closure. Until patching is possible, consider implementing network-level access controls to restrict access to the ue-authentications endpoint to trusted sources only.

Patch guidance

Consult the Open5GS project repository and official security advisories for the specific patch version addressing CVE-2026-10116. Upgrade the affected Open5GS installation following the project's documented update procedures. Validate the upgrade by confirming the new version number and, where feasible, conducting functional testing of authentication endpoints in a non-production environment before full deployment.

Detection guidance

Monitor logs from Open5GS for repeated failed or malformed UE authentication requests, particularly from single sources or with suspicious patterns. Watch for timer-related errors or transaction timeouts in system logs. Network intrusion detection systems configured to identify denial-of-service patterns may help surface abuse attempts. Endpoint availability monitoring should alert on unexpected service degradation or restarts of authentication processes.

Why prioritize this

Although the CVSS score of 4.3 is moderate, prioritize patching based on your specific Open5GS deployment context. Public exploit availability and the ease of remote exploitation (authenticated) mean that opportunistic attackers may target known vulnerable instances. Prioritize production deployments and internet-facing instances highest; internal test environments can follow with a longer timeline if patching requires maintenance windows.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects a network-accessible, low-complexity attack requiring valid authentication credentials. Impact is limited to service availability (no data breach or lateral movement risk). The score would be lower if authentication were not required, but higher in environments where the authentication endpoint is exposed to a broad set of trusted users or where availability is mission-critical.

Frequently asked questions

Can this vulnerability be exploited without authentication credentials?

No. The CVSS vector indicates PR:L (Privilege: Low), meaning an authenticated user is required. Unauthenticated remote exploitation is not possible; however, in networks where authentication credentials are widely distributed or easily obtained, this requirement provides limited real-world protection.

What is the difference between this vulnerability and a network outage?

A network outage is unplanned and affects all users. This vulnerability allows a single authenticated attacker to selectively trigger denial-of-service conditions on the authentication endpoint, affecting new user registrations or re-authentications while potentially leaving other network services operational.

Does this vulnerability expose user data?

No. The vulnerability impacts only availability of the authentication service. There is no confidentiality impact (no data theft) or integrity impact (no unauthorized modification). However, if authentication is unavailable, users cannot access network services.

What should we do if we cannot patch immediately?

Implement network access controls to limit who can reach the ue-authentications endpoint (IP whitelisting or VPN requirement). Monitor for suspicious authentication traffic patterns. Schedule a maintenance window to apply the patch as soon as operationally feasible, prioritizing production systems.

This analysis is provided for informational purposes and does not constitute professional security advice. Verify all technical details, patch version numbers, and affected products against official vendor advisories before making remediation decisions. Test patches in non-production environments prior to deployment. The vulnerability landscape evolves; consult authoritative sources including the Open5GS project and CVE databases for the most current information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).