CVE-2026-10157
Deferred Deferred - Pending Action
Improper Authentication in Open5GS NGAP PathSwitchRequest Handler

Publication date: 2026-05-31

Last updated on: 2026-06-01

Assigner: VulDB

Description
A vulnerability was identified in Open5GS up to 2.7.6. This impacts an unknown function of the file src/amf/ngap-handler.c of the component NGAP PathSwitchRequest Message Handler. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is a188e36b1741ffc2252133f59b1bda4f14d3cb5c. It is suggested to install a patch to address this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-31
Last Modified
2026-06-01
Generated
2026-06-20
AI Q&A
2026-05-31
EPSS Evaluated
2026-06-19
NVD
CVE-2026-10157
EUVD
EUVD-2026-33476
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open5gs open5gs to 2.7.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Open5GS up to version 2.7.6, specifically in the NGAP PathSwitchRequest Message Handler component. The issue arises because the AMF (Access and Mobility Management Function) fails to properly verify UE (User Equipment) security capabilities received in PathSwitchRequest messages against the locally stored values. Instead, it overwrites the stored security capabilities with potentially incorrect or malicious values sent by a target RAN node.

This improper authentication allows a remote attacker, such as a malicious gNB, to manipulate the UE's security context by sending arbitrary security capabilities. The corrupted security information then propagates to other legitimate network nodes, causing persistent denial-of-service conditions during handover procedures.

The vulnerability is due to missing verification and mismatch detection in the code handling the PathSwitchRequest, which violates security standards and can be exploited remotely. A patch has been released to fix this by adding verification, mismatch detection, logging, and preserving the correct locally stored security capabilities.

Impact Analysis

This vulnerability can lead to improper authentication and manipulation of UE security capabilities within the 5G or 4G core network. An attacker can remotely exploit this flaw to overwrite the legitimate security capabilities with incorrect values.

The impact includes persistent denial-of-service (DoS) for affected user equipment during handover procedures, as corrupted security information causes target network nodes to reject handover requests.

This can disrupt network service availability for users, degrade network reliability, and potentially allow unauthorized manipulation of security parameters, undermining the integrity and confidentiality of communications.

Compliance Impact

The vulnerability violates 3GPP security standards, specifically the requirement to verify UE security capabilities during path switch procedures as outlined in 3GPP TS 33.501 Β§6.7.3.1.

Failure to properly authenticate and protect UE security capabilities can lead to unauthorized manipulation of security contexts, which may result in breaches of confidentiality, integrity, and availability of user data.

Such security failures could impact compliance with regulations like GDPR and HIPAA, which mandate protection of personal and sensitive data, as well as ensuring network security to prevent unauthorized access and service disruption.

Detection Guidance

This vulnerability can be detected by monitoring logs for mismatches between locally stored UE security capabilities and those received in PathSwitchRequest messages. The patched Open5GS implementation logs any detected mismatches with details of stored versus received security capabilities.

To detect exploitation attempts, you should check the AMF logs for entries indicating security capability mismatches during path switch procedures.

Since the vulnerability involves improper overwriting of UE security capabilities in the AMF component, you can look for unusual or repeated PathSwitchRequest messages from gNBs that cause capability mismatches.

Specific commands depend on your logging setup, but generally, you can use commands like:

  • grep 'UE security capability mismatch' /var/log/open5gs/amf.log
  • tail -f /var/log/open5gs/amf.log | grep PathSwitchRequest
  • Use packet capture tools (e.g., tcpdump) to monitor NGAP PathSwitchRequest messages for suspicious or malformed UE security capabilities.
Mitigation Strategies

The immediate and recommended mitigation step is to apply the official patch identified by commit a188e36b1741ffc2252133f59b1bda4f14d3cb5c to your Open5GS deployment.

This patch ensures that the AMF/MME verifies UE security capabilities received in PathSwitchRequest messages against locally stored values, preventing unauthorized overwriting.

Until the patch is applied, consider restricting or monitoring untrusted gNBs that can send PathSwitchRequest messages to the AMF to reduce the risk of exploitation.

Additionally, enable detailed logging on the AMF to detect and respond to any suspicious PathSwitchRequest messages that may indicate an attack attempt.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10157. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart