CVE-2026-1587 - Vulnerability Details

- Open5GS SGWC s11-handler.c sgwc_s11_handle_modify_bearer_request denial of service

Description

A vulnerability has been found in Open5GS up to 2.7.6. The affected element is the function sgwc_s11_handle_modify_bearer_request of the file /sgwc/s11-handler.c of the component SGWC. The manipulation leads to denial of service. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Applying a patch is the recommended action to fix this issue. The issue report is flagged as already-fixed.

Published: 2026-01-29

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Open5GS SGWC component’s sgwc_s11_handle_modify_bearer_request function allows an attacker to send a specially crafted modify bearer request that triggers a crash, causing the SGWC service to become unavailable. The vulnerability is due to improper handling of certain request parameters, leading to the remote denial of service. It can disrupt traffic routing in cellular networks and affect all subscribers linked to the affected SGWC instance.

Affected Systems

The issue affects the Open5GS implementation up to version 2.7.6. It specifically targets the SGWC (Serving Gateway Control) module responsible for managing S11 interface messages. Users running Open5GS distributions before the release of a security fix are vulnerable if the SGWC component is exposed to external traffic.

Risk and Exploitability

The vulnerability has a CVSS score of 6.9, indicating moderate severity. The EPSS score is reported as less than 1%, meaning that exploitation probability is very low but not zero. The configuration requirement is remote access to the SGWC S11 interface, with no additional privileged access needed. The vulnerability is not listed in the CISA KEV catalog, and the exploit has been disclosed publicly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

Open5GS

affected

Version	Status	Constraints
`2.7.0`	affected	—
`2.7.1`	affected	—
`2.7.2`	affected	—
`2.7.3`	affected	—
`2.7.4`	affected	—
`2.7.5`	affected	—
`2.7.6`	affected	—

Configuration 1 [-]

cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Open5gs	Open5gs	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor-provided security patch for Open5GS SGWC to fix the modify bearer request handler flaw.
Restrict external network access to the SGWC S11 interface by configuring firewalls or access‑control lists to allow only trusted networks.
Implement additional application‑level checks on modify bearer requests to guard against improper error handling as described by CWE-404.

Generated by OpenCVE AI on April 18, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00108.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/open5gs/open5gs/
https://github.com/open5gs/open5gs/issues/4272
https://github.com/open5gs/open5gs/issues/4272#event-21968635948
https://github.com/open5gs/open5gs/issues/4272#issue-3795156752
https://vuldb.com/?ctiid.343350
https://vuldb.com/?id.343350
https://vuldb.com/?submit.738376

History

Mon, 23 Feb 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://github.com/open5gs/open5gs/

Mon, 02 Feb 2026 18:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:open5gs:open5gs::::::::

Fri, 30 Jan 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Open5gs Open5gs open5gs
Vendors & Products		Open5gs Open5gs open5gs

Thu, 29 Jan 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 29 Jan 2026 12:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in Open5GS up to 2.7.6. The affected element is the function sgwc_s11_handle_modify_bearer_request of the file /sgwc/s11-handler.c of the component SGWC. The manipulation leads to denial of service. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Applying a patch is the recommended action to fix this issue. The issue report is flagged as already-fixed.
Title		Open5GS SGWC s11-handler.c sgwc_s11_handle_modify_bearer_request denial of service
Weaknesses		CWE-404
References		https://github.com/open5gs/open5gs/issues/4272 https://github.com/open5gs/open5gs/issues/4272#event-21968635948 https://github.com/open5gs/open5gs/issues/4272#issue-3795156752 https://vuldb.com/?ctiid.343350 https://vuldb.com/?id.343350 https://vuldb.com/?submit.738376
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Open5gs Open5gs

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-01-29T12:32:08.109Z

Updated: 2026-02-23T09:03:54.723Z

Reserved: 2026-01-29T05:58:44.734Z

Link: CVE-2026-1587

Vulnrichment

Updated: 2026-01-29T14:46:22.512Z

NVD

Status : Modified

Published: 2026-01-29T13:15:53.717

Modified: 2026-02-23T09:16:59.330

Link: CVE-2026-1587

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T20:00:09Z

Weaknesses

CWE-404

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object