CVE-2025-15531
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-17

Last updated on: 2026-02-23

Assigner: VulDB

Description
A vulnerability was identified in Open5GS up to 2.7.5. This vulnerability affects the function sgwc_bearer_add of the file src/sgwc/context.c. The manipulation leads to reachable assertion. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The issue report is flagged as already-fixed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-17
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-01-18
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15531
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open5gs open5gs to 2.7.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15531 is a denial-of-service vulnerability in Open5GS's Serving Gateway Control plane (SGW-C) up to version 2.7.5. The issue occurs in the function sgwc_bearer_add when the system tries to allocate a new bearer but the bearer pool is exhausted, causing the allocation to return NULL. The code then triggers an assertion failure on this NULL pointer, which causes the SGW-C process to crash. This vulnerability can be exploited remotely without authentication by sending many bearer creation requests that exceed the bearer pool limit, leading to a fatal assertion and crash of the SGW-C component. [1, 2, 3]

Impact Analysis

Exploitation of this vulnerability results in a denial of service (DoS) condition by crashing the Open5GS SGW-C process. This disrupts the availability of the mobile network session management, potentially causing service outages or interruptions for users relying on the affected network component. Since the attack can be performed remotely without authentication, it poses a significant risk to network stability and reliability. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by monitoring the SGW-C logs for fatal assertion failure messages related to bearer allocation, specifically messages indicating an assertion failure in the function sgwc_bearer_add at context.c:560. Detection involves observing crashes or aborts of the SGW-C process triggered by bearer pool exhaustion. Additionally, network monitoring can focus on unusually high volumes of CreateSessionRequest messages over the S11 interface, which are used in the proof-of-concept exploit to exhaust the bearer pool. While no specific commands are provided, checking the SGW-C log file (commonly at /var/log/open5gs/sgwc.log) for fatal assertion errors and monitoring GTPv2 CreateSessionRequest traffic on the S11 interface would be practical steps. [1, 3]

Mitigation Strategies

The immediate mitigation step is to upgrade Open5GS to version 2.7.6 or later, where this vulnerability has been fixed. Since the issue is caused by improper handling of bearer pool exhaustion leading to assertion failure and crash, updating to the fixed version prevents the denial of service. Additionally, monitoring and limiting the number of CreateSessionRequest messages and bearer allocations to avoid exhausting the bearer pool can help reduce risk until the update is applied. No other specific mitigations or workarounds are recommended at the time of disclosure. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15531. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart