CVE-2026-10117
Denial of Service in Open5GS due to ogs_pool_id_calloc
Publication date: 2026-05-30
Last updated on: 2026-05-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability CVE-2026-10117 in Open5GS up to version 2.7.7 is a weakness in the HTTP/2 server implementation used by the Service-Based Interface (SBI) network functions. Specifically, it involves the function ogs_pool_id_calloc in the library /lib/sbi/nghttp2-server.c.
The issue arises because Open5GS uses a shared nghttp2-based SBI server that allocates stream and request objects from global pools. When an attacker sends many HTTP/2 requests with headers but never completes the request bodies, the server exhausts these shared pools.
This exhaustion causes allocation failures, and the on_begin_headers() function triggers an assertion failure, causing the affected network functions to crash or restart automatically if configured.
This vulnerability can be exploited remotely and has been publicly disclosed, with patches available to fix the issue.
How can this vulnerability impact me? :
This vulnerability can lead to a denial of service (DoS) condition in Open5GS network functions by causing them to crash or restart unexpectedly.
An attacker can remotely exploit this by sending numerous incomplete HTTP/2 requests, exhausting server resources and causing service interruptions.
Such disruptions can affect the availability of critical 5G core network components like NRF, UDM, UDR, NSSF, BSF, PCF, AMF, AUSF, and SMF, potentially impacting network reliability and user connectivity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the behavior of Open5GS Service-Based Interface (SBI) Network Functions (NFs) for crashes or restarts caused by exhaustion of shared HTTP/2 server pools.
Specifically, if the NFs such as NRF, UDM, UDR, NSSF, BSF, PCF, AMF, AUSF, and SMF crash with exit codes 139 or 134 or restart unexpectedly, it may indicate exploitation of this vulnerability.
To detect attempts to exploit this issue, you can monitor for a high number of incomplete HTTP/2 requests with headers sent but without completing the request bodies, which exhausts the shared stream and request pools.
While no specific commands are provided in the resources, network administrators can use tools like tcpdump or Wireshark to capture and analyze HTTP/2 traffic for abnormal patterns of incomplete requests.
- Use tcpdump to capture HTTP/2 traffic on the relevant ports (e.g., 80 or 443): tcpdump -i <interface> port 80 or port 443 -w capture.pcap
- Analyze the capture with Wireshark to identify many HTTP/2 streams with headers but no data frames.
- Monitor Open5GS NF logs for assertion failures or crashes referencing 'ogs_assert(stream)' or exit codes 139/134.
What immediate steps should I take to mitigate this vulnerability?
The immediate and best practice step to mitigate this vulnerability is to apply the patch provided by the Open5GS project that addresses the issue in the on_begin_headers() function.
This patch changes the behavior to handle pool allocation failures gracefully by returning normal error responses instead of triggering assertions that cause crashes.
Until the patch is applied, monitoring for suspicious HTTP/2 traffic patterns and limiting the number of concurrent HTTP/2 streams or requests may help reduce the risk.
Additionally, configuring automatic restarts of affected NFs can help maintain service availability if crashes occur.