CVE-2026-8745

Vulnerability

A denial-of-service vulnerability exists in Open5GS up to version 2.7.7. The flaw is in the ogs_timer_add function within /src/ausf/nausf-handler.c of the AUSF component. When a valid authentication context exists and UDM holds a pending POST /nudm-ueau/v1/{supi}/auth-events request, repeated bursts of PUT /nausf-auth/v1/ue-authentications/{authCtxId}/5g-aka-confirmation exhaust the timer pool, causing ogs_timer_add to fail and leading to a crash [1].

Exploitation

An attacker must have network access to the AUSF endpoint and be able to create a valid authentication context (e.g., by initiating an authentication procedure). The exploit requires a UDM that keeps auth-events transactions pending (a fake UDM can be used). The attacker then sends multiple short-lived confirmation requests in bursts. Each request consumes a timer that is not released until the pending UDM transaction times out, eventually exhausting the timer pool [1].

Impact

Successful exploitation results in denial of service: the AUSF process crashes on an assertion failure at nausf-handler.c:115, making the AUSF instance unavailable. This disrupts authentication services for 5G core network functions that rely on AUSF.

Mitigation

As of the publication date, no fix has been released. The project has not responded to the issue report [1]. Operators should consider rate-limiting incoming requests to the AUSF or configuring downtime monitoring to detect crashes. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.