Description
A vulnerability was identified in Open5GS up to 2.7.6. This affects the function sgwc_s5c_handle_modify_bearer_response/sgwc_sxa_handle_session_modification_response of the component PGW S5U Address Handler. The manipulation leads to null pointer dereference. The attack can be initiated remotely. The exploit is publicly available and might be used. The identifier of the patch is f1bbd7b57f831e2a070780a7d8d5d4c73babdb59. Applying a patch is the recommended action to fix this issue.
Published: 2026-02-06
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A null pointer dereference flaw exists in the PGW S5U address handler of Open5GS, specifically in the session modification response processing. The vulnerability allows a remote attacker to send crafted network messages that trigger a crash of the affected component. The impact is service interruption, as the component will fail and potentially affect the entire network function. The flaw is rated 6.9 on the CVSS scale and is catalogued as CWE‑476 and CWE‑404.

Affected Systems

All Open5GS deployments up to version 2.7.6 are affected. The vulnerability is present in the PGW service that handles S5U traffic and is triggered by the sgwc_sxa_handle_session_modification_response routine. This includes any publicly accessible instance that processes LTE or 5G bearer modification responses.

Risk and Exploitability

The EPSS score for this issue is below 1 %, indicating a low probability of exploitation, but public proof‑of‑concept code has been released and the exploit is actively available. Because the attack vector is remote and does not require local user interaction, it can be launched from outside the network. While the flaw does not grant code execution, it can still degrade network availability and may be used as part of a larger denial‑of‑service campaign. The vulnerability is not yet listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 17, 2026 at 22:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Open5GS patch associated with commit f1bbd7b57f831e2a070780a7d8d5d4c73babdb59, which releases the PGW S5U handler from the dereference bug.
  • Upgrade to Open5GS 2.7.7 or later to ensure all related fixes and security enhancements are present.
  • Configure network segmentation or firewall rules to limit S5U traffic to trusted PGW peers, preventing unauthorized traffic that could trigger the bug until a patch is in place.

Generated by OpenCVE AI on April 17, 2026 at 22:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Open5gs
Open5gs open5gs
Vendors & Products Open5gs
Open5gs open5gs

Fri, 06 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Open5GS up to 2.7.6. This affects the function sgwc_s5c_handle_modify_bearer_response/sgwc_sxa_handle_session_modification_response of the component PGW S5U Address Handler. The manipulation leads to null pointer dereference. The attack can be initiated remotely. The exploit is publicly available and might be used. The identifier of the patch is f1bbd7b57f831e2a070780a7d8d5d4c73babdb59. Applying a patch is the recommended action to fix this issue.
Title Open5GS PGW S5U Address sgwc_sxa_handle_session_modification_response null pointer dereference
Weaknesses CWE-404
CWE-476
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Open5gs Open5gs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:26:59.746Z

Reserved: 2026-02-06T06:38:43.735Z

Link: CVE-2026-2062

cve-icon Vulnrichment

Updated: 2026-02-06T19:05:45.727Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T19:16:10.750

Modified: 2026-02-11T19:02:06.323

Link: CVE-2026-2062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:45:29Z

Weaknesses