Open5GS: Seven CVEs Disclosed Across NGAP and SBI Handlers
Seven vulnerabilities were disclosed in Open5GS up to version 2.7.7, spanning improper authentication in the NGAP handler and multiple denial-of-service flaws in the SBI/NNRF library, with public exploits already available.
Key findings
- CVE-2026-10157 is a High-severity (CVSS 7.3) improper-authentication bug in the NGAP PathSwitchRequest handler
- Six Medium-severity CVEs target the SBI/NNRF library, mostly denial-of-service flaws
- CVE-2026-10114 is an out-of-bounds write in the Shared NF-profile Parser (handle_scp_info)
- Public exploits are available for all seven CVEs
- Affects Open5GS up to 2.7.7 (CVE-2026-10157 up to 2.7.6); no patch released at disclosure time
- Bugs concentrated in the NRF control-plane parser — a critical service-discovery component
On May 30–31, 2026, seven CVEs were disclosed together targeting Open5GS, the open-source 5G Core network implementation. The batch covers versions up to 2.7.7 (with one CVE affecting up to 2.7.6) and includes one High-severity improper-authentication bug in the NGAP PathSwitchRequest handler and six Medium-severity flaws concentrated in the SBI (Service-Based Interface) library. Public exploits have been released for all seven, raising the urgency for operators running Open5GS in testbeds or production-like environments.
The most critical finding is CVE-2026-10157 (CVSS 7.3, High), which resides in src/amf/ngap-handler.c — the NGAP PathSwitchRequest message handler of the Access and Mobility Management Function (AMF). The vulnerability allows improper authentication, meaning an attacker could potentially trigger a path-switch procedure without proper credentials. Because NGAP handles core mobility events between gNBs and the AMF, a successful exploit could lead to session hijacking or traffic misdirection. The exploit is publicly available, and the flaw affects Open5GS up to version 2.7.6.
The remaining six CVEs all land in the SBI (Service-Based Interface) layer, specifically in the lib/sbi/nnrf-handler.c library and related components. These are the Network Repository Function (NRF) message parsers that handle NF profile registration and discovery — a critical control-plane pathway in the 5G core.
Three of these — CVE-2026-10115, CVE-2026-10113, and CVE-2026-10156 — are denial-of-service bugs in the Shared NF-profile Parser and the handle_amf_info function. All three are remotely triggerable with public exploits, and they can cause resource exhaustion or crash the NRF/AMF processes by sending crafted SBI messages.
CVE-2026-10116 (CVSS 4.3) affects ogs_sbi_xact_add in ogs-timer.c, part of the ue-authentications endpoint. This is another remotely exploitable DoS that can be triggered via manipulated SBI transactions.
CVE-2026-10117 (CVSS 4.3) targets ogs_pool_id_calloc in nghttp2-server.c, the HTTP/2 server component of the SBI layer. A crafted request can exhaust memory pools, leading to denial of service.
CVE-2026-10114 (CVSS 4.3) stands apart from the DoS cluster: it is an out-of-bounds write in the handle_scp_info function of the Shared NF-profile Parser. While scored Medium, out-of-bounds writes in control-plane parsers can sometimes be chained for more severe impact, especially in memory-unsafe C codebases.
Patch status and mitigations. At the time of disclosure, the vendor had not yet released a patched version addressing all seven CVEs. The affected range is Open5GS up to 2.7.7 (with CVE-2026-10157 affecting up to 2.7.6). Operators should monitor the Open5GS GitHub repository and the project's release announcements for a fix. Until a patch is available, network segmentation and strict access control to the SBI and N26 interfaces are recommended to limit exposure to remote attackers.
Why this matters. Open5GS is widely used in 5G research labs, private 5G deployments, and as a reference implementation for 3GPP core-network testing. A batch of seven remotely exploitable CVEs — with public exploits — in the AMF and NRF components means that unpatched instances are trivially discoverable and attackable. The concentration of bugs in the SBI/NNRF parser is particularly concerning because the NRF is the central service-discovery hub of the 5G core; a DoS or OOB write there can disrupt the entire control plane. Operators should prioritize patching once a release is available and audit any Open5GS instances exposed to untrusted networks.