CVE-2026-10117 Open5GS CVE debrief

Who should care

Organizations operating Open5GS-based 5G core networks, telecommunications infrastructure providers, mobile network operators using open-source 5G implementations, and security teams responsible for core network availability.

Technical summary

The vulnerability resides in the ogs_pool_id_calloc function within /lib/sbi/nghttp2-server.c of Open5GS versions up to 2.7.7. Successful exploitation enables remote attackers to cause denial of service through manipulation of the affected function. The nghttp2-server component handles HTTP/2 based service-based interfaces (SBI) in the 5G core implementation, making this exposure relevant to deployments utilizing standard 3GPP SBI connectivity. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L) indicates network accessibility with low complexity and low privilege requirements, though impact is limited to availability degradation with no confidentiality or integrity effects.

Defensive priority

medium

Recommended defensive actions

• Upgrade Open5GS to a version beyond 2.7.7 once a patched release becomes available
• Monitor the Open5GS GitHub repository for security advisories and patch releases
• Review and restrict network access to Open5GS SBI interfaces to authorized entities only
• Implement resource monitoring and rate limiting on nghttp2-server endpoints to mitigate potential DoS conditions
• Validate pool allocation patterns in custom Open5GS deployments for abnormal resource exhaustion behavior

Evidence notes

Vulnerability affects Open5GS up to version 2.7.7 per source description. CVSS 4.0 vector confirms network attack vector with low attack complexity, requiring low privileges and no user interaction. Exploit existence marked as present (E:P) in CVSS vector. NVD status is Deferred as of source capture. Vendor identification sourced from Vuldb reference domain with low confidence flag.

Official resources