CVE-2026-1736 - Vulnerability Details

- Open5GS SGWC s11-handler.c assertion

Description

A security vulnerability has been detected in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c of the component SGWC. Such manipulation leads to reachable assertion. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. A patch should be applied to remediate this issue. The issue report is flagged as already-fixed.

Published: 2026-02-02

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the SGWC component of Open5GS, specifically in the function that handles indirect data forwarding tunnel requests. A crafted request can trigger an assertion failure within the S11 handler, causing the SGWC process to crash. This CWE-617 reachable assertion flaw does not directly provide code execution, but it can lead to service disruption and potentially serve as a foothold for further exploitation if combined with other weaknesses.

Affected Systems

Versioned releases of the Open5GS platform through 2.7.6, including all installations that have not applied the latest patch, are affected. The issue is confined to the SGWC component, which processes S11 interface traffic between the SGW and the MME/UPF.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate to high risk, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is exploitable remotely and has already been publicly disclosed, which raises the likelihood of targeted attacks. Although the flaw primarily leads to denial of service, a remote attacker could leverage repeated crashes to facilitate a denial‑of‑service attack vector or combine it with other vulnerabilities for broader impact. The CVE is not listed in the CISA KEV catalogue, but its potential to disrupt core 5G network functions warrants prompt attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

Open5GS

affected

Version	Status	Constraints
`2.7.0`	affected	—
`2.7.1`	affected	—
`2.7.2`	affected	—
`2.7.3`	affected	—
`2.7.4`	affected	—
`2.7.5`	affected	—
`2.7.6`	affected	—

Configuration 1 [-]

cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Open5gs	Open5gs	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Open5GS to the patched release (2.7.7 or later) to eliminate the reachable assertion.
If an immediate upgrade is not feasible, limit S11 interface traffic to a trusted set of IP addresses or network segments until the patch can be applied, preventing unauthorised tunnel provisioning requests.
Continuously monitor SGWC logs for assertion failures and implement health‑check or fail‑over mechanisms to maintain service availability during any temporary mitigation.

Generated by OpenCVE AI on April 18, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00052.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/open5gs/open5gs/
https://github.com/open5gs/open5gs/issues/4270
https://github.com/open5gs/open5gs/issues/4270#event-21968624624
https://github.com/open5gs/open5gs/issues/4270#issue-3795141303
https://vuldb.com/?ctiid.343635
https://vuldb.com/?id.343635
https://vuldb.com/?submit.741191

History

Wed, 11 Feb 2026 19:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:open5gs:open5gs::::::::

Tue, 03 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Open5gs Open5gs open5gs
Vendors & Products		Open5gs Open5gs open5gs

Mon, 02 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 02 Feb 2026 01:00:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c of the component SGWC. Such manipulation leads to reachable assertion. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. A patch should be applied to remediate this issue. The issue report is flagged as already-fixed.
Title		Open5GS SGWC s11-handler.c assertion
Weaknesses		CWE-617
References		https://github.com/open5gs/open5gs/ https://github.com/open5gs/open5gs/issues/4270 https://github.com/open5gs/open5gs/issues/4270#event-21968624624 https://github.com/open5gs/open5gs/issues/4270#issue-3795141303 https://vuldb.com/?ctiid.343635 https://vuldb.com/?id.343635 https://vuldb.com/?submit.741191
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Open5gs Open5gs

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-02T00:32:06.984Z

Updated: 2026-02-23T09:12:17.476Z

Reserved: 2026-02-01T07:44:34.393Z

Link: CVE-2026-1736

Vulnrichment

Updated: 2026-02-02T16:26:23.287Z

NVD

Status : Analyzed

Published: 2026-02-02T01:15:51.940

Modified: 2026-02-11T19:34:35.430

Link: CVE-2026-1736

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T14:30:02Z

Weaknesses

CWE-617

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object