CVE-2026-1738
Reachable Assertion in Open5GS SGWC Allows Remote Exploit
Publication date: 2026-02-02
Last updated on: 2026-02-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1738 is a vulnerability in Open5GS versions up to 2.7.6, specifically in the SGW-C component's function sgwc_tunnel_add. The flaw occurs when an attacker remotely sends crafted GTPv2-C messages that cause excessive allocation of tunnels and Packet Detection Rules (PDRs), exhausting the PFCP PDR ID pool. When the pool is exhausted, the function fails to allocate a new PDR ID, triggering an assertion failure that causes the SGW-C process to crash. This results in a denial-of-service (DoS) condition. The attack requires no authentication and can be executed remotely. A proof-of-concept exploit is publicly available demonstrating this attack. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can cause the SGW-C component of Open5GS to crash remotely, leading to a denial-of-service (DoS) condition. This crash disrupts the availability of the mobile core network services relying on Open5GS SGW-C, potentially causing network outages or degraded service for users. Since the attack requires no authentication and can be performed remotely, it poses a significant risk to network stability and availability until patched. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the SGW-C logs for crash indicators such as fatal errors, assertion failures, or abort messages related to the exhaustion of the PFCP PDR ID pool. Specifically, look for logs indicating assertion failure in the function sgwc_tunnel_add (e.g., ogs_assert(pdr) failure). Additionally, detection can involve observing unusual or excessive GTPv2-C CreateSessionRequest and CreateIndirectDataForwardingTunnelRequest message floods targeting the SGW-C on the S11 interface (default port 2123). While no specific commands are provided, administrators can use network packet capture tools (e.g., tcpdump) to filter and analyze GTPv2-C traffic on UDP port 2123 and check SGW-C process logs for crashes or assertion failures. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the patch provided by the Open5GS project that fixes this vulnerability, as it has been flagged as already fixed in versions following 2.7.6. Until the patch is applied, administrators should monitor and limit the rate of GTPv2-C CreateSessionRequest and CreateIndirectDataForwardingTunnelRequest messages to prevent exhaustion of the PFCP PDR ID pool. Implementing network-level filtering or rate limiting on the S11 interface (UDP port 2123) to block or throttle suspicious traffic patterns resembling the attack can help reduce risk. Additionally, reviewing SGW-C logs for early signs of resource exhaustion and crashes can aid in timely response. [1, 2, 3]