Executive Summary

This vulnerability exists in Open5GS up to version 2.7.7, specifically in the function ogs_sbi_xact_add within the ue-authentications Endpoint component. It is caused by exhaustion of a finite timer pool due to stalled outbound Service-Based Interface (SBI) transactions when handling repeated bursts of POST requests to the authentication endpoint.

When a client resets HTTP/2 streams, the local stream and request objects are freed immediately, but the outbound transactions and their timers remain pending until timeout. Repeated bursts of such requests deplete the timer pool, causing allocation failures in ogs_sbi_xact_add, which leads to assertion aborts and crashes of the AUSF (Authentication Server Function) process.

The root cause is the default finite sizing of the timer pool, which is limited and can be exhausted by this attack pattern. The vulnerability can be exploited remotely by sending multiple bursts of authentication requests while keeping the UDM service unresponsive.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service (DoS) by crashing the AUSF process in Open5GS. When exploited, the authentication server crashes due to timer pool exhaustion, making the 5G core network unable to process authentication requests.

As a result, legitimate users may be unable to authenticate and access network services, leading to service disruption and potential downtime in the mobile network infrastructure.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for repeated bursts of POST requests to the endpoint `/nausf-auth/v1/ue-authentications` that cause crashes or abnormal behavior in the AUSF (Authentication Server Function) component of Open5GS.

Specifically, detection involves observing if the AUSF process crashes due to timer pool exhaustion triggered by stalled outbound SBI transactions to the UDM service.

While no explicit commands are provided in the resources, network administrators can use tools like curl or HTTP clients to simulate bursts of POST requests to `/nausf-auth/v1/ue-authentications` and monitor the AUSF logs or process stability.

• Use network monitoring tools to detect high volumes of POST requests to `/nausf-auth/v1/ue-authentications`.
• Check AUSF logs for assertion aborts or crashes related to `ogs_sbi_xact_add()` failures.
• Simulate repeated POST requests with a command like: `curl -X POST https://<open5gs-server>/nausf-auth/v1/ue-authentications -d '<payload>'` in bursts and observe system behavior.

Useful 0 Not Useful 0

Mitigation Strategies

The recommended immediate mitigation step is to apply the patch that fixes this vulnerability.

The patch introduces a mechanism to automatically cancel pending outbound SBI transactions when the associated inbound server stream or session is closed, preventing timer pool exhaustion and subsequent crashes.

Until the patch is applied, it is advisable to monitor and limit the rate of authentication requests to avoid exhausting the timer pool.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-10116 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0