Executive Summary

CVE-2026-1587 is a remote denial of service (DoS) vulnerability in the Open5GS SGWC component. It occurs when the Serving Gateway Control plane (SGW-C) processes a malformed CreateSessionResponse message from the Packet Gateway (PGW) that contains an invalid PDN Address Allocation (PAA) with an invalid PDN type value (e.g., 4, while valid types are 1-3). This causes the SGW-C to store an invalid internal session state. When a subsequent ModifyBearerRequest message is received over the S11 interface, the SGW-C hits an assertion failure in the function sgwc_s11_handle_modify_bearer_request, leading to the process aborting and causing a denial of service. The vulnerability can be exploited remotely without authentication or user interaction by sending crafted GTPv2 messages. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a remote denial of service (DoS) on the Open5GS SGWC component, leading to a crash of the Serving Gateway Control plane process. This results in a disruption of service availability, potentially causing network outages or degraded mobile core network functionality. Since the attack can be performed remotely without authentication or user interaction, it poses a significant risk to service continuity. [1, 2, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for abnormal crashes or aborts of the Open5GS SGW-C process, especially triggered by malformed GTPv2 messages over the S11 interface. Detection involves capturing and analyzing GTPv2 traffic to identify malformed CreateSessionResponse messages containing invalid PDN Address Allocation (PAA) with invalid PDN type values (e.g., 4 instead of valid 1-3). Using packet capture tools like tcpdump or Wireshark to filter GTPv2 messages on the S11 interface can help detect suspicious messages. Additionally, reviewing SGW-C logs for assertion failures in the function sgwc_s11_handle_modify_bearer_request can indicate exploitation attempts. Example commands include: 1. Capture GTPv2 traffic on the S11 interface: tcpdump -i <interface> udp port 2123 -w capture.pcap 2. Analyze captured traffic in Wireshark filtering for CreateSessionResponse messages and inspecting the PDN Address Allocation field for invalid PDN types. 3. Monitor SGW-C logs for assertion failures or crashes related to sgwc_s11_handle_modify_bearer_request. Note that a proof-of-concept tool exists that crafts such malformed messages, which can be used in a controlled environment to test detection capabilities. [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to apply the official patch or upgrade Open5GS to version 2.7.6 or later, where the vulnerability has been fixed by improving validation of the PDN Address Allocation and session type to prevent storing invalid session states. Until the patch is applied, consider implementing network-level filtering to block malformed GTPv2 messages, especially CreateSessionResponse messages with invalid PDN types, on the S11 interface. Monitoring and alerting on SGW-C crashes or assertion failures can also help in early detection and response. Since the vulnerability can be exploited remotely without authentication, patching is strongly recommended to prevent denial of service. [2, 3]

Useful 0 Not Useful 0