| Title | Open5GS SGWC v2.7.6 Denial of Service |
|---|
| Description | SGW-C can be crashed by sending an late CreateBearerResponse on S11 under a crafted call flow. When SGW-C receives the CreateBearerResponse after the relevant UE/session context has been removed or is otherwise not found, it hits an ogs_assert(sgwc_ue) in sgwc_s11_handle_create_bearer_response, causing immediate termination of the control-plane process |
|---|
| Source | ⚠️ https://github.com/open5gs/open5gs/issues/4225 |
|---|
| User | ZiyuLin (UID 93568) |
|---|
| Submission | 12/31/2025 10:41 (4 months ago) |
|---|
| Moderation | 01/16/2026 17:36 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 341595 [Open5GS up to 2.7.6 GTPv2 Bearer Response denial of service] |
|---|
| Points | 19 |
|---|