VYPR
← All advisories
Low severity3.1NVD Advisory· Published Jun 2, 2026

CVE-2026-10565

CVE-2026-10565

Description

Open5GS versions prior to 2.7.6 contain a race condition in the NGAP Handover component allowing remote attackers to redirect user traffic.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Open5GS versions prior to 2.7.6 contain a race condition in the NGAP Handover component allowing remote attackers to redirect user traffic.

Vulnerability

A race condition exists in the gmm_state_security_mode function within src/amf/gmm-sm.c in Open5GS versions up to and including 2.7.6. This vulnerability is related to the NGAP Handover component and can be triggered remotely, though it requires a high level of complexity and exploitability is considered difficult [2]. The issue arises from a lack of proper checks for concurrent security procedures, specifically between NAS Security Mode Command (SMC) and N2 handover procedures [2].

Exploitation

An attacker can exploit this vulnerability by manipulating NGAP messages. Specifically, a forged PDUSessionResourceSetupResponse message can be sent from a secondary gNB (gnb-B) that references another UE's AMF-UE-NGAP-ID. If the AMF does not properly scope the UE context lookup to the sending gNB, it will incorrectly resolve the victim's UE context and forward the response to the SMF. This allows the attacker to reprogram the User Plane Function (UPF) and redirect the victim's downlink user-plane traffic to their own gNB [1].

Impact

Successful exploitation allows an attacker to redirect a victim's downlink user-plane traffic to a gNB controlled by the attacker. This results in a loss of confidentiality and integrity for the victim's data traffic, as it is intercepted and potentially modified by the attacker. The scope of the compromise is limited to the specific UE whose traffic is redirected [1].

Mitigation

A pull request to address this issue has been submitted and awaits acceptance [1]. The fix involves adding a check to ensure that UE-associated NGAP messages are processed only when the resolved UE is owned by the gNB that sent the message. The affected versions are Open5GS up to 2.7.6. No patched version or workaround has been disclosed in the available references at this time.

References
  1. amf: scope ran_ue_find_by_amf_ue_ngap_id() to the sending gNB by MrBrownieCGN · Pull Request #4501 · open5gs/open5gs
  2. Missing Concurrent NAS SMC Validation During NGAP Handover

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
318eeb49a7dc

Release v2.7.7

https://github.com/open5gs/open5gsSukchan LeeMar 15, 2026Fixed in 2.7.7via release-tag
commit
6 files changed · +63 6
  • debian/changelog+42 0 modified
    @@ -1,3 +1,45 @@
+open5gs (2.7.7) unstable; urgency=medium
+
+  * Bug Fixed
+
+ -- Sukchan Lee <acetcom@gmail.com>  Sun, 15 Mar 2026 20:35:27 +0900
+
+open5gs (2.7.7~questing) questing; urgency=medium
+
+  * Bug Fixed
+
+ -- Sukchan Lee <acetcom@gmail.com>  Sun, 15 Mar 2026 20:32:45 +0900
+
+open5gs (2.7.7~plucky) plucky; urgency=medium
+
+  * Bug Fixed
+
+ -- Sukchan Lee <acetcom@gmail.com>  Sun, 15 Mar 2026 20:29:35 +0900
+
+open5gs (2.7.7~noble) noble; urgency=medium
+
+  * Bug Fixed
+
+ -- Sukchan Lee <acetcom@gmail.com>  Sun, 15 Mar 2026 20:27:45 +0900
+
+open5gs (2.7.7~jammy) jammy; urgency=medium
+
+  * Bug Fixed
+
+ -- Sukchan Lee <acetcom@gmail.com>  Sun, 15 Mar 2026 20:26:00 +0900
+
+open5gs (2.7.7~focal) focal; urgency=medium
+
+  * Bug Fixed
+
+ -- Sukchan Lee <acetcom@gmail.com>  Sun, 15 Mar 2026 20:23:53 +0900
+
+open5gs (2.7.7~bionic) bionic; urgency=medium
+
+  * Bug Fixed
+
+ -- Sukchan Lee <acetcom@gmail.com>  Sun, 15 Mar 2026 20:21:59 +0900
+
 open5gs (2.7.6) unstable; urgency=medium
 
   * Bug Fixed
  • docs/assets/webui/install+1 1 modified
    @@ -10,7 +10,7 @@
 #
 
 PACKAGE="open5gs"
-VERSION="2.7.0"
+VERSION="2.7.7"
 
 print_status() {
     echo
  • docs/_posts/2026-03-15-release-v2.7.7.md+15 0 added
    @@ -0,0 +1,15 @@
+---
+title: "v2.7.7 - Bug fixed"
+date: 2026-03-15 20:41:00 +0900
+categories:
+  - Release
+tags:
+  - News
+  - Release
+head_inline: "<style> ul { padding-bottom: 1em; } .blue { color: blue; }</style>"
+---
+
+See [Release Note](https://github.com/open5gs/open5gs/releases/tag/v2.7.7)
+
+Download -- [v2.7.7.tar.gz](https://github.com/open5gs/open5gs/archive/v2.7.7.tar.gz)
+{: .notice--info}
  • meson.build+2 2 modified
    @@ -16,7 +16,7 @@
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
 project('open5gs', 'c', 'cpp',
-    version : '2.7.6',
+    version : '2.7.7',
     license : 'AGPL-3.0-or-later',
     meson_version : '>= 0.43.0',
     default_options : [
@@ -25,7 +25,7 @@ project('open5gs', 'c', 'cpp',
     ],
 )
 
-libogslib_version = '2.7.6'
+libogslib_version = '2.7.7'
 
 prefix = get_option('prefix')
 bindir = join_paths(prefix, get_option('bindir'))
  • webui/package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "open5gs",
-  "version": "2.7.0",
+  "version": "2.7.7",
   "description": "Open5gs",
   "main": "index.js",
   "repository": "https://github.com/open5gs/open5gs/webui",
  • webui/package-lock.json+2 2 modified
    @@ -1,12 +1,12 @@
 {
   "name": "open5gs",
-  "version": "2.7.0",
+  "version": "2.7.7",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "open5gs",
-      "version": "2.7.0",
+      "version": "2.7.7",
       "license": "AGPL-3.0",
       "dependencies": {
         "axios": "^0.27.2",

Vulnerability mechanics

Root cause

"The AMF does not enforce rules preventing concurrent security procedures, leading to potential key mismatches."

Attack vector

An attacker can initiate a handover procedure and then trigger a re-registration of the UE. This causes the AMF to initiate a Security Mode Command (SMC) while the handover procedure is still ongoing, violating 3GPP TS 33.501 §6.9.5.1 rules [ref_id=2]. This can be initiated remotely due to the network-based nature of the vulnerability.

Affected code

The vulnerability exists in the `gmm_state_security_mode` function within `src/amf/gmm-sm.c` and the `HandoverRequired` handler in `src/amf/ngap-handler.c` [ref_id=2]. The fix involves changes to `ran_ue_find_by_amf_ue_ngap_id()` in `src/amf/ngap-handler.c` [patch_id=4437618].

What the fix does

The patch modifies the `ran_ue_find_by_amf_ue_ngap_id()` function to accept a `gnb` parameter and refuse lookups when the resolved UE's gNB ID does not match the sending gNB's ID [patch_id=4437618]. This prevents a rogue gNB from forging NGAP messages that reference another UE's context, thereby stopping the redirection of the victim's downlink user-plane traffic to the attacker's gNB [ref_id=1]. An exception is made for Xn-Handover PathSwitchRequest messages, which have different lookup semantics.

Preconditions

  • networkThe attack can be initiated remotely.
  • authThe attacker has low privileges (PR:L).

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.