CVE-2026-1738
Unknown Unknown - Not Provided
Reachable Assertion in Open5GS SGWC Allows Remote Exploit

Publication date: 2026-02-02

Last updated on: 2026-02-11

Assigner: VulDB

Description
A flaw has been found in Open5GS up to 2.7.6. The impacted element is the function sgwc_tunnel_add of the file /src/sgwc/context.c of the component SGWC. Executing a manipulation of the argument pdr can lead to reachable assertion. The attack can be executed remotely. The exploit has been published and may be used. It is advisable to implement a patch to correct this issue. The issue report is flagged as already-fixed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-02-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1738
EUVD
EUVD-2026-5123
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open5gs open5gs to 2.7.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1738 is a vulnerability in Open5GS versions up to 2.7.6, specifically in the SGW-C component's function sgwc_tunnel_add. The flaw occurs when an attacker remotely sends crafted GTPv2-C messages that cause excessive allocation of tunnels and Packet Detection Rules (PDRs), exhausting the PFCP PDR ID pool. When the pool is exhausted, the function fails to allocate a new PDR ID, triggering an assertion failure that causes the SGW-C process to crash. This results in a denial-of-service (DoS) condition. The attack requires no authentication and can be executed remotely. A proof-of-concept exploit is publicly available demonstrating this attack. [1, 2, 3]

Impact Analysis

This vulnerability can cause the SGW-C component of Open5GS to crash remotely, leading to a denial-of-service (DoS) condition. This crash disrupts the availability of the mobile core network services relying on Open5GS SGW-C, potentially causing network outages or degraded service for users. Since the attack requires no authentication and can be performed remotely, it poses a significant risk to network stability and availability until patched. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by monitoring the SGW-C logs for crash indicators such as fatal errors, assertion failures, or abort messages related to the exhaustion of the PFCP PDR ID pool. Specifically, look for logs indicating assertion failure in the function sgwc_tunnel_add (e.g., ogs_assert(pdr) failure). Additionally, detection can involve observing unusual or excessive GTPv2-C CreateSessionRequest and CreateIndirectDataForwardingTunnelRequest message floods targeting the SGW-C on the S11 interface (default port 2123). While no specific commands are provided, administrators can use network packet capture tools (e.g., tcpdump) to filter and analyze GTPv2-C traffic on UDP port 2123 and check SGW-C process logs for crashes or assertion failures. [2, 3]

Mitigation Strategies

The immediate mitigation step is to apply the patch provided by the Open5GS project that fixes this vulnerability, as it has been flagged as already fixed in versions following 2.7.6. Until the patch is applied, administrators should monitor and limit the rate of GTPv2-C CreateSessionRequest and CreateIndirectDataForwardingTunnelRequest messages to prevent exhaustion of the PFCP PDR ID pool. Implementing network-level filtering or rate limiting on the S11 interface (UDP port 2123) to block or throttle suspicious traffic patterns resembling the attack can help reduce risk. Additionally, reviewing SGW-C logs for early signs of resource exhaustion and crashes can aid in timely response. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1738. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart