CVE-2026-10117
Description
A weakness has been identified in Open5GS up to 2.7.7. This issue affects the function ogs_pool_id_calloc in the library /lib/sbi/nghttp2-server.c. Executing a manipulation can lead to denial of service. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. It is best practice to apply a patch to resolve this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Open5GS up to v2.7.7 contains a pool exhaustion vulnerability in its SBI HTTP/2 server that can be remotely exploited to cause a denial of service.
Vulnerability
A weakness exists in Open5GS versions up to v2.7.7 affecting the function ogs_pool_id_calloc in the library /lib/sbi/nghttp2-server.c. The SBI HTTP/2 server uses a shared stream pool and request pool that are sized based on the expected number of UEs (ogs_app()->pool.stream and ogs_app()->pool.message set to global_conf.max.ue * 16). When request headers arrive in on_begin_headers(), the server unconditionally allocates an ogs_sbi_stream_t and an ogs_sbi_request_t without checking whether the pools are exhausted, then asserts that the allocation succeeded (ogs_assert(stream)). A remote client can trigger this allocation failure by opening many HTTP/2 streams with headers and never finishing the request body, exhausting the pools [1].
Exploitation
An attacker with network access to the Open5GS SBI interfaces (typically on HTTP/2 ports, default 7777 for NRF, etc.) can send a high volume of HTTP/2 requests that open streams with headers but never complete the request body. No authentication is required, and no user interaction is needed. The generic "hold-open" pattern has been validated against multiple SBI NFs in Docker deployments, consistently reproducing the same assertion failure at ../lib/sbi/nghttp2-server.c:1629 [1].
Impact
Successful exploitation causes the targeted SBI network function to crash due to an assertion failure (ogs_assert(stream)), resulting in a denial of service. This affects the availability of the core network functions (e.g., AMF, SMF, NRF) that rely on the shared SBI HTTP/2 server. There is no confidentiality or integrity impact reported; the vulnerability is limited to service disruption [1].
Mitigation
The vulnerability report recommends applying a patch; no fixed version has been announced as of the publication date (2026-05-30). The maintainers have been notified via the GitHub issue [1]. Users should monitor the Open5GS repository [2] for patched releases (expected after v2.7.7). No workaround other than limiting network access to SBI interfaces (firewall rules or IP allowlisting) is available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at this time.
AI Insight generated on May 30, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Shared SBI HTTP/2 stream and request pool exhaustion leads to a fatal assertion abort in `on_begin_headers()`."
Attack vector
An unauthenticated remote attacker opens many HTTP/2 connections to an SBI NF (e.g., NRF, UDM, AMF) and sends request headers without completing the request body. Each such stream consumes one entry from the shared `stream_pool` and `request_pool`. Once the pools are exhausted, `ogs_pool_id_calloc()` fails, triggering `ogs_assert(stream)` in `on_begin_headers()` and aborting the NF process [ref_id=1]. The attack is network-based, requires no authentication, and works across all SBI NFs that use the shared nghttp2 server code path.
Affected code
The vulnerability resides in the shared SBI HTTP/2 server at `../lib/sbi/nghttp2-server.c`. The function `ogs_pool_id_calloc` (line 758) allocates a stream from the global `stream_pool` and a request from the global `request_pool` during header processing. When these pools are exhausted, the assertion `ogs_assert(stream)` at line 1629 in `on_begin_headers()` crashes the NF process. Pool sizing is configured centrally in `../lib/sbi/context.c` and `../lib/app/ogs-config.c` based on `max.ue * POOL_NUM_PER_UE` (16).
What the fix does
The advisory does not include a published patch. The expected remediation is for Open5GS to reject excess incomplete HTTP/2 requests with a normal transport or application-layer error instead of aborting the NF process when the shared SBI stream or request pools are exhausted [ref_id=1]. Until a patch is applied, operators should limit the number of concurrent HTTP/2 streams accepted or apply resource quotas at the network perimeter.
Preconditions
- networkThe attacker must be able to reach the SBI HTTP/2 port (default 80) of any Open5GS SBI NF (e.g., NRF, UDM, AMF).
- authNo authentication is required; the attack is performed before any business-logic processing.
- inputThe attacker must open enough HTTP/2 streams to exhaust the shared stream and request pools, which are sized as `max.ue * 16`.
Reproduction
The researcher provides a reproduction script `h2_hold_open.js` and commands. For a control case on NRF: `docker start nrf; docker run --rm --network open5gs -v /home/ubuntu/open5gs_277/.audit_tmp:/srv node:24-alpine sh -lc 'H2_CONNECTIONS=1 H2_STREAMS_PER_CONNECTION=10 H2_HOLD_MS=3000 node /srv/h2_hold_open.js nrf.open5gs.org 80 /nnrf-nfm/v1/nf-instances'`. For the malicious case: `docker start nrf; docker run --rm --network open5gs -v /home/ubuntu/open5gs_277/.audit_tmp:/srv node:24-alpine sh -lc 'H2_CONNECTIONS=32 H2_STREAMS_PER_CONNECTION=1024 H2_HOLD_MS=12000 node /srv/h2_hold_open.js nrf.open5gs.org 80 /nnrf-nfm/v1/nf-instances'`. The same pattern applies to other SBI NFs by changing the target hostname and path [ref_id=1].
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.