Executive Summary

CVE-2026-2062 is a denial-of-service vulnerability in the Open5GS SGW-C (Serving Gateway Control plane) component, specifically in versions up to 2.7.6. The issue arises when the SGW-C handles a CreateSessionRequest with the Operation Indication (OI) flag set. This causes SGW-C to send a ModifyBearerRequest to the PGW (Packet Gateway). However, SGW-C fails to properly parse the Bearer Context in the subsequent ModifyBearerResponse from PGW, leaving the PGW S5U tunnel IP address uninitialized.

Because the PGW S5U tunnel address is missing, when SGW-C attempts to build the CreateSessionResponse, it encounters an assertion failure due to the null pointer dereference of the tunnel IP address. This causes the SGW-C process to crash (SIGABRT), resulting in a denial of service.

The vulnerability can be triggered remotely without authentication by sending a crafted CreateSessionRequest with the OI flag set. A proof-of-concept exploit is publicly available demonstrating this crash.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the SGW-C process in Open5GS to crash remotely, leading to a denial of service (DoS). This disrupts the availability of the SGW-C component, which is critical for handling session management in mobile networks.

An attacker can exploit this vulnerability without any privileges or user interaction by sending a specially crafted CreateSessionRequest with the OI flag set. The resulting crash can cause service interruptions, potentially affecting network reliability and user connectivity.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for crashes or assertion failures in the Open5GS SGW-C process, especially when handling CreateSessionRequest messages with the Operation Indication (OI) flag set to 0x08.'}, {'type': 'paragraph', 'content': 'Specifically, logs showing errors like `[gtp] ERROR: No IPv4 or IPv6 (../lib/gtp/v2/conv.c:150)` or assertion failures at `sgwc_s11_build_create_session_response` indicate the vulnerability being triggered.'}, {'type': 'paragraph', 'content': 'To detect attempts to exploit this vulnerability, you can capture and analyze GTPv2 traffic on the S11 interface for CreateSessionRequest messages with the OI flag set.'}, {'type': 'paragraph', 'content': 'Suggested commands include using packet capture tools such as tcpdump or tshark to filter for these messages. For example:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -w capture.pcap 'udp port 2123'"}, {'type': 'list_item', 'content': "tshark -r capture.pcap -Y 'gtp.message_type == 32 && gtpv2_ie.operation_indication & 0x08 != 0'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring the SGW-C process for unexpected crashes or core dumps can help identify if the vulnerability is being exploited.'}] [1, 4]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation step is to apply the patch identified by commit f1bbd7b57f831e2a070780a7d8d5d4c73babdb59, which fixes the vulnerability by adding proper checks and error handling in the affected functions.

This patch ensures that if the PGW S5U tunnel address is missing in the ModifyBearerResponse, the SGW-C logs an error and returns an appropriate GTP error message instead of crashing.

Until the patch is applied, you should monitor and restrict access to the SGW-C S11 interface to trusted sources only, to reduce the risk of remote exploitation.

Also, consider implementing network-level protections such as firewall rules or intrusion detection systems to detect and block malformed CreateSessionRequest messages with the OI flag set.

Useful 0 Not Useful 0