EUVD-2026-33458
GHSA-xq3q-8wc9-jgfc
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A security flaw has been discovered in Open5GS up to 2.7.7. This vulnerability affects the function ogs_sbi_xact_add in the library /lib/core/ogs-timer.c of the component ue-authentications Endpoint. Performing a manipulation results in denial of service. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. Applying a patch is the recommended action to fix this issue.
AnalysisAI
Timer pool exhaustion in Open5GS up to 2.7.7 allows an authenticated remote attacker with low privileges to crash the UE authentication service via rapid HTTP/2 stream resets against the ue-authentications SBI endpoint. The root cause is CWE-404: response timers for outbound SBI transactions are not released when the originating inbound HTTP/2 stream closes prematurely (via RST_STREAM or connection drop), causing the timer pool to exhaust when a peer resets streams rapidly while upstream network functions are slow or unresponsive. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have low-privilege authenticated access (PR:L per CVSS vector) to the Open5GS SBI interface hosting the ue-authentications endpoint - this is NOT an unauthenticated attack. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) indicates a moderate-severity denial-of-service reachable over the network with low complexity but requiring low-privilege authentication (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with low-privilege access to the Open5GS SBI network plane (e.g., a compromised NF or a misconfigured internal service) connects to the ue-authentications HTTP/2 endpoint and rapidly opens and resets streams (RST_STREAM) at a rate that exceeds the upstream NF's response speed. Each reset stream leaves an unreleased timer slot in the pool; with sustained rapid resets, the timer pool exhausts within minutes, preventing new UE authentication transactions from being allocated and rendering the authentication service unavailable. … |
| Remediation | The upstream fix is available as GitHub PR #4578 (https://github.com/open5gs/open5gs/pull/4578); however, a tagged release version incorporating this patch has not been independently confirmed from the available data - operators should monitor the Open5GS release page for a patched release beyond 2.7.7 and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today