Executive Summary

CVE-2026-1737 is a denial-of-service vulnerability in Open5GS up to version 2.7.6, specifically in the Serving Gateway Control plane (SGW-C) component. It occurs because the SGW-C improperly handles malformed CreateSessionResponse messages from the Packet Gateway (PGW) that contain invalid PDN Address Allocation (PAA) types (e.g., an invalid pdn-type=4). This invalid input corrupts the SGW-C session state, causing subsequent control-plane messages like CreateBearerRequest to trigger fatal assertion failures in the code, leading to a crash of the SGW-C component. The vulnerability can be exploited remotely without authentication by sending crafted GTPv2 messages with invalid PAA fields, causing the LTE/5G core network to become unavailable until the SGW-C is restarted or patched. [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition in the Open5GS SGW-C component, which is critical for LTE/5G core network operations. Exploiting this issue remotely can crash the SGW-C, disrupting network services by making the gateway unavailable. This can lead to service outages, affecting mobile network connectivity and availability for users relying on the affected infrastructure until the issue is patched or the service is restarted. [1, 2, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or assertion failures in the Open5GS SGW-C component, specifically in the function sgwc_s5c_handle_create_bearer_request. Detection involves observing abnormal termination or logs indicating assertion failures triggered by malformed GTPv2 messages with invalid PDN Address Allocation (PAA) types. To actively detect exploitation attempts, you can capture and analyze GTPv2 traffic on the S11 and S5C interfaces for malformed CreateSessionResponse messages containing invalid PDN types (e.g., pdn-type=4). Using packet capture tools like tcpdump or tshark, you can filter for GTPv2 messages and inspect the PAA IE fields. Example commands include: 1) Capture GTPv2 traffic on interface eth0: tcpdump -i eth0 udp port 2123 -w gtpv2_capture.pcap 2) Use tshark to filter CreateSessionResponse messages and inspect PAA IE: tshark -r gtpv2_capture.pcap -Y 'gtpv2.message_type == 32' -V | grep -A 10 'PDN Address Allocation' 3) Monitor Open5GS logs for assertion failures or crashes related to s5c-handler.c. Additionally, the publicly available Go-based proof-of-concept test suite can be used in a controlled environment to simulate the attack and verify if the system is vulnerable. [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to deploy the patch provided by the Open5GS project that fixes the improper handling of invalid PDN Address Allocation types in the SGW-C component. Updating Open5GS to a version later than 2.7.6, where the issue is fixed, will prevent the assertion failures and crashes. Additionally, as a temporary mitigation, you can implement network-level filtering to block malformed or suspicious GTPv2 messages with invalid PDN types on the S11 and S5C interfaces to reduce the risk of exploitation. Monitoring and alerting on SGW-C crashes or assertion failures can also help in early detection and response. However, patching remains the primary and recommended mitigation. [1, 2, 3]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability causes a denial-of-service condition by crashing the SGW-C component, impacting system availability. However, it does not affect confidentiality or integrity of data. Therefore, while it may impact availability requirements under standards like GDPR or HIPAA, it does not directly compromise personal data confidentiality or integrity. The main compliance concern would be related to ensuring system availability and timely patching to prevent service disruption. [1, 3]

Useful 0 Not Useful 0