EUVD-2026-33871
GHSA-94vg-m7v6-9c25
Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A security flaw has been discovered in Open5GS up to 2.7.6. The impacted element is the function gmm_state_security_mode of the file src/amf/gmm-sm.c of the component NGAP Handover. Performing a manipulation results in race condition. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is regarded as difficult. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance.
AnalysisAI
Race condition in Open5GS AMF up to version 2.7.6 allows a remote, low-privileged attacker to trigger concurrent NGAP Security Mode Command processing in gmm_state_security_mode (src/amf/gmm-sm.c), resulting in low availability impact. Publicly available exploit code exists (N2-SMC-Concurrent.zip), though no public exploit identified at time of analysis indicates active exploitation and this CVE is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) authenticated access to the AMF's N2 interface (CVSS PR:L), meaning the attacker controls or has compromised a gNodeB with an established NGAP connection to the target AMF; (2) high attack complexity (CVSS AC:H), meaning the attacker must time concurrent NGAP message delivery precisely to hit the race window in gmm_state_security_mode - this is not trivially reproducible on demand; (3) the vulnerability is specific to the NGAP Handover flow and Security Mode Command processing path, so the target UE must be in or entering a security mode negotiation or handover state. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 3.1 score of 3.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L) reflects a low-severity, high-complexity remote vulnerability requiring low privileges with only availability impact - a difficult exploitation profile in practice. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with low-privilege access to the N2 interface - such as an operator of a rogue or compromised gNodeB - sends concurrent Security Mode Command-related NGAP messages to the Open5GS AMF, racing the state machine in gmm_state_security_mode against itself. The publicly released exploit archive (N2-SMC-Concurrent.zip) demonstrates this timing-dependent technique, which requires high attack complexity to land the race window reliably, with the practical outcome being disruption of the affected UE's AMF session state and a low availability impact. |
| Remediation | The upstream fix is available as PR #4501 (https://github.com/open5gs/open5gs/pull/4501), which awaits merge acceptance as of the time of reporting - a released patched version is not independently confirmed, so this should be treated as 'upstream fix available (PR/commit); released patched version not independently confirmed.' Operators should monitor the Open5GS release channel for the version incorporating this PR. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today