Executive Summary

CVE-2026-1586 is a denial of service (DoS) vulnerability in Open5GS versions up to 2.7.5, specifically in the SGW-C component's function ogs_gtp2_f_teid_to_ip. The vulnerability occurs when a malformed ModifyBearerRequest message is sent containing a Bearer Context F-TEID Information Element (IE) with both IPv4 and IPv6 address flags unset (V4=0 and V6=0). This invalid input causes an assertion failure and crash in the SGW-C, leading to a denial of service. The attack can be performed remotely without authentication, making exploitation straightforward. A proof-of-concept exploit exists, and the issue has been fixed in version 2.7.6. [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the SGW-C component of Open5GS to crash, resulting in a denial of service. Since SGW-C is a critical part of the mobile core network, its crash can disrupt mobile network operations and availability. The attack requires no authentication and can be performed remotely, making it a significant risk for service interruption. The impact is limited to availability, with no confidentiality or integrity loss. [1, 2, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or denial of service conditions on the Open5GS SGW-C component, especially triggered by malformed ModifyBearerRequest messages on the S11 interface. Detection involves capturing and analyzing GTPv2-C traffic to identify ModifyBearerRequest messages containing Bearer Context F-TEID Information Elements where both IPv4 and IPv6 address flags are unset (V4=0 and V6=0). Network packet capture tools like tcpdump or Wireshark can be used to capture traffic on UDP port 2123 (GTPv2-C). For example, a tcpdump command to capture relevant traffic could be: `tcpdump -i <interface> udp port 2123 -w gtp_traffic.pcap`. Then, analyze the captured packets for malformed F-TEID IEs. Additionally, monitoring Open5GS SGW-C logs for assertion failures or crashes related to `ogs_gtp2_f_teid_to_ip()` can help detect exploitation attempts. Since a public proof-of-concept exploit exists, testing in a controlled environment by sending crafted ModifyBearerRequest messages with malformed F-TEID IEs can confirm vulnerability presence. [2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to apply the patch provided in Open5GS version 2.7.6 or later, which fixes the issue by properly validating the F-TEID IE fields to ensure at least one IP address flag (IPv4 or IPv6) is set before processing. Until the patch can be applied, network administrators should consider implementing filtering or intrusion detection rules to block or alert on malformed ModifyBearerRequest messages with Bearer Context F-TEID IEs that have both IPv4 and IPv6 flags unset. Monitoring and restarting the SGW-C service upon crashes can help maintain availability. Ultimately, upgrading to the fixed Open5GS version is strongly recommended to fully mitigate the risk. [1, 3]

Useful 0 Not Useful 0

Compliance Impact

The provided resources do not contain information regarding the impact of CVE-2026-1586 on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0