CVE-2026-1522 in Open5GS
Summary
by MITRE • 01/28/2026
A weakness has been identified in Open5GS up to 2.7.6. This vulnerability affects the function sgwc_s5c_handle_modify_bearer_response of the file src/sgwc/s5c-handler.c of the component SGWC. Executing a manipulation can lead to denial of service. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. This patch is called b19cf6a. Applying a patch is advised to resolve this issue. The issue report is flagged as already-fixed.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/03/2026
The vulnerability CVE-2026-1522 represents a critical weakness in the Open5GS software suite, specifically within the SGWC (Serving Gateway Control Plane) component. This flaw exists in the sgwc_s5c_handle_modify_bearer_response function located in the src/sgwc/s5c-handler.c file, which is part of the broader 5G core network infrastructure. The vulnerability has been classified as affecting versions up to 2.7.6, indicating that organizations running these older versions remain exposed to potential exploitation. The weakness manifests as a denial of service condition that can be triggered through manipulation of the targeted function, effectively compromising the availability of the affected network services.
The technical nature of this vulnerability stems from improper handling of modify bearer response messages within the S5C interface, which is a critical communication pathway between the Serving Gateway and the Packet Data Network Gateway in 3GPP networks. This flaw allows an attacker to craft malicious packets that, when processed by the sgwc_s5c_handle_modify_bearer_response function, can cause the system to crash or become unresponsive. The vulnerability's remote exploitability means that attackers do not need physical access to the network infrastructure, enabling them to launch attacks from external networks. The availability of a public exploit further amplifies the risk, as it removes the barrier to entry for potential attackers who may not possess advanced technical capabilities.
The operational impact of CVE-2026-1522 extends beyond simple service disruption, potentially affecting the entire 5G network ecosystem that relies on Open5GS for core network functions. When exploited, the vulnerability can cause cascading failures in the mobile network infrastructure, leading to widespread service outages for subscribers and potentially disrupting critical communications. The attack vector's remote nature means that network operators must consider their exposure to attacks originating from the internet, necessitating robust network segmentation and monitoring capabilities. This vulnerability directly impacts the reliability and security posture of 5G networks, particularly in environments where Open5GS is deployed as a software-defined core network solution.
Network security professionals should prioritize immediate remediation of this vulnerability through the application of the patch referenced as b19cf6a. The patch addresses the root cause of the denial of service condition by implementing proper input validation and error handling within the sgwc_s5c_handle_modify_bearer_response function. Organizations should conduct thorough testing of the patch in non-production environments before deployment to ensure compatibility with existing network configurations. The vulnerability's classification as already-fixed indicates that the Open5GS development team has recognized the severity and provided a solution, making the patch implementation a critical security measure. Compliance with the patch deployment timeline is essential to maintain network integrity and prevent exploitation by malicious actors who may already be targeting this vulnerability.
The vulnerability aligns with CWE-400, which describes weaknesses related to resource exhaustion and denial of service conditions in software systems. From an ATT&CK framework perspective, this vulnerability maps to techniques involving service disruption and system resource exhaustion, potentially enabling attackers to achieve broader network compromise objectives. The presence of a public exploit increases the likelihood of automated attacks targeting vulnerable Open5GS installations, making proactive remediation essential for maintaining network security. Organizations should also implement monitoring solutions to detect potential exploitation attempts and establish incident response procedures to address any successful attacks that may occur despite patching efforts.