CVE-2026-10565
Deferred Deferred - Pending Action
Race Condition in Open5GS NGAP Handover

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: VulDB

Description
A security flaw has been discovered in Open5GS up to 2.7.6. The impacted element is the function gmm_state_security_mode of the file src/amf/gmm-sm.c of the component NGAP Handover. Performing a manipulation results in race condition. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is regarded as difficult. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-10565
EUVD
EUVD-2026-33871
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
open5gs open5gs 2.7.6
open5gs open5gs to 2.7.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10565 is a security flaw in Open5GS up to version 2.7.6 affecting the NGAP Handover component, specifically the function gmm_state_security_mode in the file src/amf/gmm-sm.c. The vulnerability arises from a race condition caused by the lack of proper validation and state tracking during concurrent NAS Security Mode Command (SMC) and N2 handover procedures.

This flaw allows the AMF (Access and Mobility Management Function) to initiate a NAS SMC while an N2 handover with a new NH/NCC key is still ongoing, or vice versa, leading to mismatches in security contexts and key derivation between the UE and the network. Essentially, Open5GS does not serialize these security procedures, violating 3GPP TS 33.501 Β§6.9.5.1 specifications.

Additionally, the vulnerability involves improper verification of AMF-UE-NGAP-ID ownership by the sending gNB, allowing a malicious gNB to forge NGAP messages referencing another gNB's UE-associated NGAP ID. This can cause the AMF to incorrectly process these messages, potentially redirecting victim traffic to an attacker-controlled gNB.

The attack can be initiated remotely, but it is considered complex and difficult to exploit. A fix has been proposed but awaits acceptance.

Impact Analysis

This vulnerability can impact you by allowing an attacker to manipulate the security procedures during handover in the 5G core network, potentially causing mismatches in security keys between the user equipment (UE) and the network.

Such mismatches can lead to degraded security, including the possibility of unauthorized interception or redirection of user traffic.

Specifically, a malicious gNB could forge NGAP messages to redirect downlink traffic intended for a victim UE to the attacker’s gNB, compromising confidentiality and integrity of communications.

Although the attack complexity is high and exploitability is difficult, the exploit code is publicly available, increasing the risk of real-world attacks.

Compliance Impact

This vulnerability violates 3GPP TS 33.501 Β§6.9.5.1, which mandates proper serialization and validation of NAS Security Mode Command and handover procedures to maintain secure key management.

Failure to enforce these security procedures can lead to unauthorized access or interception of user data, potentially resulting in breaches of confidentiality and data integrity.

Such breaches could impact compliance with data protection regulations like GDPR and HIPAA, which require appropriate technical measures to protect personal and sensitive data.

Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to compromised security controls in the 5G core network.

Detection Guidance

This vulnerability involves a race condition in the Open5GS AMF component during NGAP handover and NAS Security Mode Command procedures, which can be exploited remotely. Detection would involve monitoring for unusual or concurrent NGAP messages related to security mode commands and handover procedures, especially overlapping NAS Security Mode Commands and N2 handovers for the same UE.

Since the vulnerability is related to concurrent NAS Security Mode Command and N2 handover procedures, network operators can look for signs of simultaneous security procedures for the same UE in logs or traces.

However, no explicit detection commands or tools are provided in the available resources or CVE description.

Mitigation Strategies

The vulnerability is fixed by a patch that adds validation to ensure that concurrent NAS Security Mode Command and N2 handover procedures are serialized, preventing key derivation mismatches.

Immediate mitigation steps include:

  • Apply the patch or update Open5GS to a version that includes the fix for CVE-2026-10565 once it is accepted and released.
  • Monitor and restrict NGAP messages to prevent unauthorized or forged messages from malicious gNBs, as the vulnerability allows forged NGAP messages to be processed.
  • Implement network-level controls to limit access to the AMF from untrusted gNBs to reduce the attack surface.

Until the fix is applied, be aware that the exploit is public and may be used for attacks, so heightened monitoring and access control are recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10565. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart