Open5GS
Moderate fix1 remedy
cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*
Moderate fix1 remedy
- <= 2.7.6
Open5GS SGWC Denial-of-Service Vulnerability via Orphaned S5-C Responses
Vulnerability
A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.6. The issue arises in the SGW-C component when it processes S5-C Create Session Responses that cannot be linked to a valid S11 transaction. This mismatch triggers an assertion failure, causing the application to crash. The vulnerability can be exploited remotely, without authentication, by sending crafted GTPv2-C messages that disrupt the expected transaction handling.
Impact
Exploitation of this vulnerability causes the SGW-C process to abort, leading to a crash and disruption of service.
Reproduction
The vulnerability can be reproduced by sending an orphaned Create Bearer Response after a Create Session Response has been initiated but before the corresponding S11 transaction is completed. This can be done using a public proof-of-concept exploit available on GitHub.
Remediation
Users are advised to update to Open5GS version 2.7.7 or later, where this vulnerability has been patched.
Added: Jan 16, 2026, 10:23 PM
Updated: Jan 16, 2026, 10:23 PM
Vulnerability Rating
Custom Algorithm
spread
1.4impact
2.5exploitability
8.7remediation
7.7relevance
2.1threat
6.4urgency
2.9incentive
8.3Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.