CVE-2026-1736
Reachable Assertion in Open5GS SGWC Allows Remote Attack
Publication date: 2026-02-02
Last updated on: 2026-02-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-1736 is a remote denial-of-service vulnerability in Open5GS SGWC that can cause service outages by crashing the SGW-C process. While it impacts system availability, there is no indication from the provided information that it affects confidentiality or integrity of data.
Since the vulnerability leads to denial of service without compromising data confidentiality or integrity, its direct impact on compliance with standards like GDPR or HIPAAβwhich primarily focus on data protection and privacyβis limited. However, availability is a component of many security frameworks, so prolonged or repeated outages could indirectly affect compliance by disrupting service availability requirements.
No explicit references to compliance impacts or regulatory considerations are provided in the available resources.
Can you explain this vulnerability to me?
CVE-2026-1736 is a security vulnerability in Open5GS up to version 2.7.6, specifically in the SGWC component's function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request. The issue arises when the Serving Gateway Control plane (SGW-C) receives a CreateSessionResponse message containing a malformed PDN Address Allocation (PAA) element, which results in an invalid session_type value. When the SGW-C later processes a CreateIndirectDataForwardingTunnelRequest message on the S11 interface, it encounters a fatal assertion failure due to this invalid session_type, causing the SGW-C process to abort and crash. This leads to a denial-of-service condition. The vulnerability can be exploited remotely without authentication by sending crafted protocol messages. A proof-of-concept exploit is publicly available, and the issue has been fixed in later versions by validating the PDN type and session_type handling. [2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can cause a remote denial-of-service (DoS) condition in the Open5GS SGWC component. An attacker can remotely trigger a crash of the SGW-C process by sending specially crafted messages, causing the service to become unavailable. This impacts system availability, potentially leading to service outages in the 5G core network infrastructure relying on Open5GS, disrupting network operations and connectivity for users. [2, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or assertion failures in the SGW-C component of Open5GS, specifically related to the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request. Detection involves observing logs for messages such as "Invalid session_type [4]" and monitoring for denial-of-service conditions caused by process aborts. Additionally, reproducing the issue involves sending crafted GTPv2 messages, including a CreateSessionResponse with an invalid PDN type (e.g., 4) followed by a CreateIndirectDataForwardingTunnelRequest on the S11 interface. Using tools or scripts that can craft and send these GTPv2 messages (such as the Go-based proof-of-concept using the github.com/wmnsk/go-gtp/gtpv2 library) can help detect the vulnerability. Specific commands would involve using such a PoC or custom scripts to send these crafted messages and observe if the SGW-C crashes or logs assertion failures. [3, 4]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the official patch provided by the Open5GS project that fixes the assertion failure by validating the PDN type and session_type handling in the SGW-C component. Since the vulnerability is already fixed in the Open5GS codebase, upgrading to a version later than 2.7.6 that includes this patch will remediate the issue. Until the patch is applied, monitoring for suspicious CreateSessionResponse messages with invalid PDN types and restricting or filtering such malformed messages on the S11 interface may reduce the risk of exploitation. [2, 3, 4]