CVE-2026-2522
Unknown Unknown - Not Provided
Remote Memory Corruption in Open5GS MME Component

Publication date: 2026-02-16

Last updated on: 2026-02-18

Assigner: VulDB

Description
A security vulnerability has been detected in Open5GS up to 2.7.6. Impacted is an unknown function of the file /src/mme/esm-build.c of the component MME. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2522
EUVD
EUVD-2026-6139
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open5gs open5gs to 2.7.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-2522 is a memory corruption vulnerability in Open5GS versions up to 2.7.6, specifically in the Mobility Management Entity (MME) component's source file `/src/mme/esm-build.c` and related S11 handler code. The issue arises when the MME processes a maliciously crafted CreateSessionResponse message from the Serving Gateway (SGW) on the S11 interface."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the MME does not properly validate the length field of the PDN Address Allocation (PAA) Information Element (IE) in the CreateSessionResponse. An attacker can forge this length to an oversized value (e.g., 200 bytes instead of the normal maximum 21 bytes), causing the MME to copy more data than the buffer can hold into a fixed-size buffer (`sess->paa`).'}, {'type': 'paragraph', 'content': 'This improper bounds checking leads to a buffer overflow and memory corruption, which causes the MME process to crash with a segmentation fault (SIGSEGV), resulting in a remote denial of service (DoS). The attack can be performed remotely without authentication, and a proof-of-concept exploit is publicly available.'}] [1, 2, 3]

Impact Analysis

This vulnerability can be exploited remotely by an attacker capable of spoofing or controlling the Serving Gateway (SGW) to send a malicious CreateSessionResponse message to the MME.

The impact is a remote denial of service (DoS) against the MME component of Open5GS, causing the MME process to crash and terminate unexpectedly.

Such a crash can disrupt the availability of the mobile core network services managed by the MME, potentially leading to service outages or degraded network performance.

No direct confidentiality or integrity impacts are reported, but the availability impact is significant as it can interrupt network operations.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring for crashes or segmentation faults (SIGSEGV) in the Open5GS MME process, specifically the open5gs-mmed service. The crash occurs when the MME receives a malformed CreateSessionResponse message on the S11 interface with an oversized PDN Address Allocation (PAA) Information Element (IE) length.

Detection can involve capturing and analyzing GTPv2-C traffic on the S11 interface to identify CreateSessionResponse messages where the PAA IE length field is unusually large (e.g., significantly greater than the normal maximum of 21 bytes).

Suggested commands and approaches include:

  • Use tcpdump or tshark to capture S11 interface traffic filtering for CreateSessionResponse messages and inspect the PAA IE length field.
  • Example tcpdump command to capture GTPv2-C traffic on UDP port 2123 (default S11 port): tcpdump -i <interface> udp port 2123 -w capture.pcap
  • Use Wireshark or tshark to analyze the captured packets and filter for CreateSessionResponse messages with PAA IE length fields exceeding expected sizes.
  • Monitor system logs for segmentation faults or crashes of the open5gs-mmed process, e.g., using journalctl or systemd logs: journalctl -u open5gs-mmed -f
  • Check for abnormal termination or restart of the MME process, which may indicate exploitation attempts.
Mitigation Strategies

Currently, there are no known patches or mitigations available from the Open5GS project for this vulnerability.

Immediate mitigation steps include:

  • Consider replacing or upgrading the affected Open5GS MME component to a version that addresses this vulnerability once it becomes available.
  • Restrict or monitor access to the S11 interface to trusted and authenticated Serving Gateway (SGW) entities only, to prevent attackers from sending malicious CreateSessionResponse messages.
  • Implement network-level filtering or firewall rules to block or limit suspicious or malformed GTPv2-C messages, especially those with abnormal PAA IE lengths.
  • Monitor the MME process for crashes and be prepared to restart services promptly to maintain availability.
  • Follow updates from the Open5GS project and apply patches or fixes as soon as they are released.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2522. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart