Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-2524 is a denial of service vulnerability in Open5GS version 2.7.6, specifically in the Mobility Management Entity (MME) component's function mme_s11_handle_create_session_response. The vulnerability arises when the MME processes a malformed CreateSessionResponse message containing a Bearer QoS Information Element (IE) with an incorrect length."}, {'type': 'paragraph', 'content': 'The issue is caused by an assertion that checks if the decoded length of the Bearer QoS IE matches the expected length of 22 bytes. If the length is incorrect, the parser returns 0, triggering the assertion failure and causing the MME process to abort (crash).'}, {'type': 'paragraph', 'content': 'An attacker can exploit this remotely by sending a crafted CreateSessionResponse message with a malformed Bearer QoS IE length, leading to a denial of service by crashing the MME.'}] [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service (DoS) condition in the Open5GS MME component, making the affected system unavailable.

Since the MME is a critical component in mobile network infrastructure, its crash can disrupt network services, affecting availability and potentially causing service outages for users.

The attack can be performed remotely without any authentication or user interaction, increasing the risk of exploitation.

No known mitigations or patches are currently available, so affected users are advised to consider alternative products or risk exposure to service disruption.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or assertion failures in the Open5GS MME process, specifically related to the function mme_s11_handle_create_session_response. Logs indicating assertion failures in ogs_gtp2_parse_bearer_qos at types.c:34 or related backtraces are signs of exploitation attempts.

Detection can also involve capturing and analyzing GTPv2 CreateSessionResponse messages on the S11 interface to identify malformed Bearer QoS Information Elements with lengths different from the expected 22 bytes.

A practical approach is to use packet capture tools like tcpdump or tshark to filter and inspect GTPv2 traffic for suspicious Bearer QoS IE lengths.

• Use tcpdump to capture S11 interface traffic: tcpdump -i <interface> port 2123 -w capture.pcap
• Analyze captured packets with tshark or Wireshark to filter CreateSessionResponse messages and inspect Bearer QoS IE lengths.
• Monitor Open5GS MME logs for assertion failure messages referencing ogs_gtp2_parse_bearer_qos or mme_s11_handle_create_session_response.

Useful 0 Not Useful 0

Mitigation Strategies

Currently, there are no known patches or vendor responses to mitigate this vulnerability in Open5GS version 2.7.6.

Immediate mitigation steps include monitoring for exploitation attempts and considering replacing or upgrading the affected product to avoid exposure.

Network administrators should implement network-level protections such as filtering or restricting access to the S11 interface to trusted entities only, reducing the attack surface.

Until a patch or official fix is available, users are advised to consider alternative products or solutions that do not have this vulnerability.

Useful 0 Not Useful 0