CVE-2026-10117: Open5GS nghttp2-server Denial of Service Vulnerability
Open5GS, an open-source 5G core network implementation, contains a vulnerability in its HTTP/2 server library that can be exploited to cause a denial of service. An attacker with valid credentials can remotely trigger the issue by manipulating specific inputs to the pool allocation function, causing the application to become unresponsive or crash. Versions up to 2.7.7 are affected. Public exploit code exists, increasing the risk of opportunistic attacks.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-404
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-30 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in Open5GS up to 2.7.7. This issue affects the function ogs_pool_id_calloc in the library /lib/sbi/nghttp2-server.c. Executing a manipulation can lead to denial of service. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. It is best practice to apply a patch to resolve this issue.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10117 is a resource exhaustion vulnerability in the ogs_pool_id_calloc function within Open5GS's nghttp2-server.c library. The vulnerability stems from improper handling of pool ID allocation (CWE-404), allowing an authenticated attacker to manipulate the allocation logic and exhaust system resources. The flaw permits remote exploitation with low attack complexity, though prior authentication is required. The vulnerability resides in a critical network interface component responsible for SBI (Service Based Interface) communication in 5G architectures.
Business impact
For organizations operating 5G core networks using Open5GS, this vulnerability poses a service availability risk. A denial of service attack could disrupt SBI communication between network functions, degrading voice, data, and messaging services. While the attack requires authentication and the impact is limited to availability (not confidentiality or integrity), the public availability of exploit code means threat actors may repurpose it quickly. Downtime in telecom infrastructure can translate to revenue loss, regulatory reporting obligations, and reputational damage.
Affected systems
Open5GS versions up to and including 2.7.7 are vulnerable. The vulnerability specifically affects the nghttp2-server component used for HTTP/2 communication within the SBI framework. Organizations using Open5GS in production 5G deployments, lab environments, or hybrid architectures should audit their deployed versions immediately.
Exploitability
The vulnerability requires an attacker to have valid authentication credentials to trigger the issue, which moderates the attack surface. However, the low attack complexity and network-accessible nature of the SBI interface mean that a compromised user account or insider threat could weaponize this flaw with minimal difficulty. The public release of exploit code lowers the technical barrier for opportunistic threat actors. External attackers without credentials cannot directly exploit this vulnerability.
Remediation
Upgrade Open5GS to a patched version released after 2.7.7. Verify the exact version number and release notes from the Open5GS project repository. Organizations unable to patch immediately should restrict network access to the SBI interface through firewall rules, VPNs, or network segmentation, allowing communication only from trusted network functions. Monitor for suspicious authentication attempts and consider implementing rate limiting on the affected endpoints.
Patch guidance
Check the Open5GS GitHub repository and official release notes for versions after 2.7.7 that address the ogs_pool_id_calloc issue. Apply the patch in a controlled manner, first to lab or staging environments that mirror production topology. Validate HTTP/2 SBI communication between network functions post-patch. If running Open5GS in a containerized environment, rebuild container images with the patched version and redeploy. For air-gapped deployments, obtain the patched source code through secure channels and follow your standard build and testing procedures.
Detection guidance
Monitor Open5GS logs for repeated allocation failures or pool exhaustion errors originating from the nghttp2-server component. Watch for unusual patterns of SBI requests from authenticated users—specifically requests that trigger resource-intensive pool operations. Implement network-level monitoring to detect abnormal traffic volume or connection patterns on SBI ports (typically 7777 for insecure communication or port 443 for secure interfaces). Alert on failed authentication attempts followed by successful logins that precede denial of service symptoms, as this may indicate a compromised credential being used.
Why prioritize this
Although the CVSS score of 4.3 (Medium) reflects limited blast radius due to authentication requirements and availability-only impact, the public exploit availability and the critical nature of SBI communication in 5G infrastructure elevate the practical urgency. SBI disruptions cascade quickly through the core network, and any extended outage affects end-user services. Prioritize patching based on whether your Open5GS instance is internet-facing, the authentication model in use, and the tolerance for SBI downtime. Production deployments in critical telecom environments warrant faster remediation timelines than isolated test systems.
Risk score, explained
The CVSS 3.1 score of 4.3 reflects: (1) network-accessible attack vector reducing friction; (2) low attack complexity once authenticated; (3) required prior authentication narrowing exposure; (4) no impact to confidentiality or integrity; and (5) limited availability impact per instance. However, the contextual severity is higher given the infrastructure role of 5G core networks, the availability of public exploit code, and the potential for cascading failures in SBI-dependent functions. Use this score as a baseline; adjust prioritization upward if your deployment has permissive authentication or if SBI availability is mission-critical.
Frequently asked questions
Do I need valid credentials to exploit this vulnerability?
Yes. The vulnerability requires prior authentication to the SBI interface. However, if credentials are compromised or if your authentication model is permissive (e.g., default credentials not rotated, overly broad service account privileges), the barrier to exploitation becomes minimal. Review your credential management and access controls for SBI components.
Is this vulnerability included in CISA's Known Exploited Vulnerabilities catalog?
No, as of the last update this vulnerability is not listed in the KEV catalog. However, public exploit code is available, which historically precedes KEV inclusion. Do not assume lack of KEV status means low risk—actively monitor threat intelligence feeds for changes.
What versions of Open5GS are safe from this vulnerability?
Versions after 2.7.7 that include the fix for the ogs_pool_id_calloc function are safe. Consult the Open5GS project release notes to identify the first patched version and verify the fix against the upstream commits. Do not assume version numbers beyond 2.7.7 are patched without explicit confirmation.
Can this vulnerability lead to data theft or system compromise?
No. This vulnerability affects only availability (denial of service). It does not enable data exfiltration, lateral movement, or remote code execution. However, a denial of service on SBI can indirectly enable other attacks if threat actors combine it with other exploits or if the outage obscures malicious activity elsewhere in the network.
This analysis is provided for informational purposes and does not constitute legal, technical, or professional advice. Verify all patch version numbers, affected product lists, and remediation steps against official vendor advisories and your own testing. CVSS scores and severity ratings are based on NIST/NVD standards and may not reflect your specific organizational context or risk tolerance. Conduct thorough testing of patches in non-production environments before deployment. This document does not endorse any particular security product or service. Consult with your security team and vendors for guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10113MEDIUMOpen5GS NF-Profile Parser Denial of Service Vulnerability
- CVE-2026-10115MEDIUMOpen5GS NF Profile Parser DoS Vulnerability
- CVE-2026-10116MEDIUMOpen5GS UE Authentication Denial-of-Service Vulnerability
- CVE-2026-10156MEDIUMOpen5GS Resource Exhaustion Vulnerability in nf-instances Endpoint
- CVE-2026-10190MEDIUMTenda W12 Web Interface Denial-of-Service Vulnerability
- CVE-2026-10224MEDIUMNousResearch hermes-agent Webhook Resource Exhaustion Vulnerability
- CVE-2026-10650MEDIUMLibwebsockets SSH Handler Resource Exhaustion Vulnerability
- CVE-2026-10802MEDIUMKeystoneJS GraphQL Resource Exhaustion Vulnerability