CVE-2026-10565
Race Condition in Open5GS NGAP Handover
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | 2.7.6 |
| open5gs | open5gs | to 2.7.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10565 is a security flaw in Open5GS up to version 2.7.6 affecting the NGAP Handover component, specifically the function gmm_state_security_mode in the file src/amf/gmm-sm.c. The vulnerability arises from a race condition caused by the lack of proper validation and state tracking during concurrent NAS Security Mode Command (SMC) and N2 handover procedures.
This flaw allows the AMF (Access and Mobility Management Function) to initiate a NAS SMC while an N2 handover with a new NH/NCC key is still ongoing, or vice versa, leading to mismatches in security contexts and key derivation between the UE and the network. Essentially, Open5GS does not serialize these security procedures, violating 3GPP TS 33.501 Β§6.9.5.1 specifications.
Additionally, the vulnerability involves improper verification of AMF-UE-NGAP-ID ownership by the sending gNB, allowing a malicious gNB to forge NGAP messages referencing another gNB's UE-associated NGAP ID. This can cause the AMF to incorrectly process these messages, potentially redirecting victim traffic to an attacker-controlled gNB.
The attack can be initiated remotely, but it is considered complex and difficult to exploit. A fix has been proposed but awaits acceptance.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to manipulate the security procedures during handover in the 5G core network, potentially causing mismatches in security keys between the user equipment (UE) and the network.
Such mismatches can lead to degraded security, including the possibility of unauthorized interception or redirection of user traffic.
Specifically, a malicious gNB could forge NGAP messages to redirect downlink traffic intended for a victim UE to the attackerβs gNB, compromising confidentiality and integrity of communications.
Although the attack complexity is high and exploitability is difficult, the exploit code is publicly available, increasing the risk of real-world attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability violates 3GPP TS 33.501 Β§6.9.5.1, which mandates proper serialization and validation of NAS Security Mode Command and handover procedures to maintain secure key management.
Failure to enforce these security procedures can lead to unauthorized access or interception of user data, potentially resulting in breaches of confidentiality and data integrity.
Such breaches could impact compliance with data protection regulations like GDPR and HIPAA, which require appropriate technical measures to protect personal and sensitive data.
Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to compromised security controls in the 5G core network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a race condition in the Open5GS AMF component during NGAP handover and NAS Security Mode Command procedures, which can be exploited remotely. Detection would involve monitoring for unusual or concurrent NGAP messages related to security mode commands and handover procedures, especially overlapping NAS Security Mode Commands and N2 handovers for the same UE.
Since the vulnerability is related to concurrent NAS Security Mode Command and N2 handover procedures, network operators can look for signs of simultaneous security procedures for the same UE in logs or traces.
However, no explicit detection commands or tools are provided in the available resources or CVE description.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by a patch that adds validation to ensure that concurrent NAS Security Mode Command and N2 handover procedures are serialized, preventing key derivation mismatches.
Immediate mitigation steps include:
- Apply the patch or update Open5GS to a version that includes the fix for CVE-2026-10565 once it is accepted and released.
- Monitor and restrict NGAP messages to prevent unauthorized or forged messages from malicious gNBs, as the vulnerability allows forged NGAP messages to be processed.
- Implement network-level controls to limit access to the AMF from untrusted gNBs to reduce the attack surface.
Until the fix is applied, be aware that the exploit is public and may be used for attacks, so heightened monitoring and access control are recommended.