Description
A weakness has been identified in Open5GS up to 2.7.7. This issue affects the function ogs_pool_id_calloc in the library /lib/sbi/nghttp2-server.c. Executing a manipulation can lead to denial of service. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. It is best practice to apply a patch to resolve this issue.
Published: 2026-05-30
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Open5GS project, specifically within the ogs_pool_id_calloc function of the nghttp2-server.c component, can be triggered by crafted input to cause a denial of service. The weakness is classified as a resource exhaustion vulnerability (CWE‑404) and does not provide an attacker with direct access to confidential data or the ability to modify system integrity; it only disrupts the availability of the affected service.

Affected Systems

The vulnerability affects Open5GS installations up to and including version 2.7.7. No other vendors or product lines are listed as impacted in this advisory.

Risk and Exploitability

The CVSS base score is 5.3, indicating a moderate severity level. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Attackers can launch the exploit remotely, and an exploit has already been made publicly available, suggesting that anyone with network reach to the vulnerable system could potentially interrupt service.

Generated by OpenCVE AI on May 30, 2026 at 13:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Open5GS to version 2.7.8 or later, which contains the fix for the ogs_pool_id_calloc bug.
  • Review Open5GS configuration to reduce the exposure of the nghttp2 server, such as restricting allowed IP addresses or disabling the component if it is not required.
  • Enable logging and monitoring for abnormal traffic or repeated connection attempts to the affected ports so that an ongoing denial‑of‑service attack can be detected and mitigated quickly.

Generated by OpenCVE AI on May 30, 2026 at 13:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Open5GS up to 2.7.7. This issue affects the function ogs_pool_id_calloc in the library /lib/sbi/nghttp2-server.c. Executing a manipulation can lead to denial of service. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. It is best practice to apply a patch to resolve this issue.
Title Open5GS nghttp2-server.c ogs_pool_id_calloc denial of service
First Time appeared Open5gs
Open5gs open5gs
Weaknesses CWE-404
CPEs cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*
Vendors & Products Open5gs
Open5gs open5gs
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Open5gs Open5gs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-30T12:30:08.160Z

Reserved: 2026-05-29T17:15:20.897Z

Link: CVE-2026-10117

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-30T13:16:20.870

Modified: 2026-05-30T13:16:20.870

Link: CVE-2026-10117

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T13:30:24Z

Weaknesses