CVE-2025-15539
Unknown Unknown - Not Provided
Remote DoS Vulnerability in Open5GS sgwc_s11-handler Component

Publication date: 2026-01-19

Last updated on: 2026-02-23

Assigner: VulDB

Description
A vulnerability was determined in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_downlink_data_notification_ack of the file src/sgwc/s11-handler.c of the component sgwc. This manipulation causes denial of service. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Patch name: b4707272c1caf6a7d4dca905694ea55557a0545f. To fix this issue, it is recommended to deploy a patch. The issue report is flagged as already-fixed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15539
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open5gs open5gs to 2.7.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15539 is a denial of service vulnerability in the Open5GS Serving Gateway Control plane (SGW-C) component, specifically in the function sgwc_s11_handle_downlink_data_notification_ack. The issue occurs when the SGW-C receives a delayed Downlink Data Notification Acknowledge (DDN Ack) message referencing a bearer that has already been removed after session teardown. This causes the SGW-C to attempt a lookup for a non-existent bearer context, triggering an assertion failure and crashing the SGW-C process. The vulnerability can be exploited remotely without authentication by sending crafted GTPv2-C signaling messages that simulate this delayed acknowledgment scenario. [1, 3, 4]

Impact Analysis

This vulnerability can cause the Open5GS SGW-C process to crash, resulting in a denial of service (DoS). Since the SGW-C is a critical component in the mobile core network responsible for session management, its crash can disrupt network services, leading to service unavailability for users. The attack can be performed remotely without any privileges or user interaction, making it a significant risk for network stability and availability. [1, 3, 4]

Detection Guidance

This vulnerability can be detected by monitoring the SGW-C logs for crashes or assertion failures related to Downlink Data Notification Acknowledge (DDN Ack) messages referencing deleted bearers. Specifically, look for error or warning logs indicating missing bearer or session contexts in the sgwc_s11_handle_downlink_data_notification_ack function. Additionally, reproducing the issue using the publicly available proof-of-concept (PoC) Go program can help detect the vulnerability by simulating the attack sequence and observing if the SGW-C crashes. The PoC includes command-line flags to configure IP addresses, TEIDs, IMSI, APN, MCC/MNC, timing delays, and can be used to test the system's response to delayed DDN Ack messages. Monitoring UDP traffic on the SGW-C's S11 GTP-C port (default 2123) for delayed or malformed DDN Ack messages may also help detect exploitation attempts. [1, 3]

Mitigation Strategies

The immediate mitigation step is to apply the official patch identified by commit b4707272c1caf6a7d4dca905694ea55557a0545f, which fixes the vulnerability by replacing fatal assertions with runtime checks and safe handling of delayed or malformed Downlink Data Notification Acknowledge messages. This patch prevents the SGW-C process from crashing due to missing bearer or session contexts. Until the patch is applied, monitoring and filtering suspicious delayed DDN Ack messages on the S11 interface may reduce the risk of exploitation. It is also recommended to update Open5GS to a version later than 2.7.6 where this issue is fixed. [2, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15539. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart