| Title | Open5GS SGWC v2.7.6 Denial of Service |
|---|
| Description | SGW-C can be forced to crash when handling a crafted GTPv2-C CreateSessionResponse on S5-C, if the response cannot be mapped to a valid S11 transaction context.
In sgwc_s5c_handle_create_session_response() (file src/sgwc/s5c-handler.c), SGW-C expects to find the corresponding S11 transaction (s11_xact) associated with the S5-C transaction / response. When the association lookup fails , s11_xact == NULL and the code triggers and the assertion triggers an immediate process abort, causing denial-of-service. |
|---|
| Source | ⚠️ https://github.com/open5gs/open5gs/issues/4226 |
|---|
| User | ZiyuLin (UID 93568) |
|---|
| Submission | 12/31/2025 10:42 (4 months ago) |
|---|
| Moderation | 01/16/2026 17:36 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 341596 [Open5GS up to 2.7.6 src/sgwc/s5c-handler.c sgwc_s5c_handle_create_session_response denial of service] |
|---|
| Points | 20 |
|---|