LOW 3.1

CVE-2026-10565: Race Condition in Open5GS NGAP Handover Affects 5G Service Continuity

A race condition vulnerability has been discovered in Open5GS versions up to 2.7.6 that affects the NGAP Handover security mode processing function. The flaw allows an authenticated attacker to trigger a timing-dependent race condition that results in a denial-of-service condition. While a public exploit exists, successful exploitation requires specific conditions and careful timing, making real-world attacks difficult to execute reliably.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-362
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

A security flaw has been discovered in Open5GS up to 2.7.6. The impacted element is the function gmm_state_security_mode of the file src/amf/gmm-sm.c of the component NGAP Handover. Performing a manipulation results in race condition. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is regarded as difficult. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10565 is a race condition (CWE-362) in the gmm_state_security_mode function within src/amf/gmm-sm.c of the Open5GS Access and Mobility Management Function (AMF). The vulnerability manifests in the NGAP Handover component, which handles security context management during inter-cell mobility procedures. The race condition allows an authenticated network entity to manipulate timing-dependent state transitions, leading to uncontrolled service disruption. The attack vector is network-based and requires low privilege (authenticated access), but exploitability is constrained by high attack complexity due to the precise timing requirements inherent to race condition exploitation.

Business impact

Organizations operating Open5GS-based 5G network infrastructure face potential service availability degradation. An authenticated attacker could trigger denial-of-service conditions affecting handover operations, potentially disrupting user mobility between cells. For telecom operators or private 5G deployments relying on Open5GS, this creates intermittent service interruption risks that may impact subscriber experience during handover scenarios. The low CVSS score reflects limited confidentiality and integrity risk, but availability impact warrants attention in environments where call continuity is critical.

Affected systems

Open5GS versions through 2.7.6 are affected. The vulnerability resides in the AMF component's security mode handling, specifically impacting the NGAP handover procedures. Open5GS is used in research deployments, operator lab environments, and some production private 5G networks. The authentication requirement means the threat is primarily from compromised or malicious network elements (e.g., rogue gNodeB, compromised MME/AMF peer) rather than untrusted endpoints.

Exploitability

Public exploit code is available, lowering the barrier to weaponization. However, practical exploitation remains difficult due to high attack complexity—the attacker must orchestrate precise timing to win the race condition during the security mode transition. Successful attacks depend on network latency, system load, and synchronization between the attacker-controlled element and the target AMF. While not trivial, determined threat actors with network access (insider threats, compromised infrastructure) could achieve reliable exploitation through instrumentation and repeated attempts.

Remediation

A fix has been submitted as a pull request awaiting upstream acceptance by the Open5GS project maintainers. Organizations should monitor the Open5GS GitHub repository and security advisories for the next patched release. Until an official patch is available, compensating controls include network segmentation to restrict access to the AMF, robust authentication and authorization for inter-element communication, and monitoring for anomalous handover failures or security mode negotiation errors.

Patch guidance

Check the Open5GS project repository and security announcements for an updated release incorporating the race condition fix. Verify against the vendor advisory to confirm the specific version that resolves CVE-2026-10565. Once available, apply patches to all AMF instances in your deployment. In lab or non-critical environments, patches can often be applied immediately; production deployments should conduct staged testing in an isolated 5G testbed to validate handover stability post-patch before wider rollout. Document baseline handover metrics (success rates, latency) to compare against post-patch behavior.

Detection guidance

Monitor AMF logs for abnormal patterns: repeated security mode negotiation failures, handover rejections with security-related error codes, or temporary loss of radio connectivity during handover windows. Network-level detection is challenging due to the race condition nature, but correlation of timing anomalies with security mode procedure invocations may signal exploitation attempts. Deploy continuous health checks on handover success rates; sustained degradation could indicate attack activity. Security information and event management (SIEM) rules should flag multiple failed security mode transitions within a short time window from the same source element.

Why prioritize this

Despite a low CVSS score, this vulnerability merits attention in 5G-specific risk contexts. The availability of public exploits and the relative ease of triggering in a controlled network environment elevates practical risk. Prioritization depends on deployment: production telecom networks should treat this as medium-priority for patch planning; lab and research deployments can defer unless already under active monitoring. The authentication requirement limits blast radius, but the criticality of handover operations to cellular service continuity justifies prompt action once patches become available.

Risk score, explained

The CVSS 3.1 score of 3.1 (LOW) reflects the following: network attack surface (AV:N) and authentication requirement (PR:L) provide access; high attack complexity (AC:H) due to race condition timing constraints; no confidentiality or integrity impact (C:N/I:N); limited availability impact (A:L) manifesting as transient service disruption rather than total outage. The score appropriately captures the technical barriers to exploitation and narrow impact scope, though operational context—such as reliance on handover continuity—may warrant elevated treatment in specific threat models.

Frequently asked questions

What is a race condition, and why does it matter here?

A race condition occurs when the timing of concurrent operations determines correctness. In this vulnerability, multiple actors competing to transition security state during handover can cause unexpected behavior. If an attacker synchronizes their input with the legitimate state machine, they can force an intermediate state leading to denial of service. Race conditions are notoriously difficult to exploit reliably because they depend on exact timing, but once understood, can be weaponized by attackers with network access and patience.

Do I need to patch immediately if I run Open5GS?

If you operate a production 5G network using Open5GS, monitor for patch availability and plan to apply it within your standard change management cycle—typically weeks to a month depending on operational risk tolerance. Lab and non-critical deployments can be patched sooner. If Open5GS is isolated in a research setting with no public exposure, urgency is lower. Authentication requirement limits risk, but you should not delay indefinitely once a stable patch is available.

Can this be exploited from outside my network?

The vulnerability requires network-level access (authenticated) to the AMF, meaning external internet users cannot directly exploit it. However, if your 5G network peers with untrusted or compromised partners, or if an insider has network access, exploitation becomes possible. Roaming scenarios and inter-operator handover introduce broader exposure. Segment your AMF and enforce strict authentication for all peer communications.

How does this differ from other 5G vulnerabilities I should know about?

This is a race condition in a specific component (AMF handover), not a cryptographic or protocol-level flaw. The impact is primarily availability-focused and localized to handover procedures, not global network compromise. Unlike vulnerabilities affecting the 5G specification itself, this is an implementation bug in one open-source stack. Other operators using different AMF implementations are unaffected, but organizations deploying Open5GS in any form should track it.

This analysis is based on CVE-2026-10565 data published as of 2026-06-17 and publicly available information about Open5GS. Specific patched versions, exact remediation timelines, and vendor advisories should be verified directly with the Open5GS project and your infrastructure vendor. No exploit code or attack procedures are provided in this briefing. Organizations should conduct independent risk assessment based on their specific deployment architecture, network segmentation, and threat model before prioritizing response actions. This document is for informational purposes and does not constitute security advice for any particular organization. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).