Open5GS
Moderate fix1 remedy
cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*
Moderate fix1 remedy
- <= 2.7.6
Open5GS SGWC Denial-of-Service Vulnerability
Vulnerability
A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.6, specifically within the SGW-C component. The issue arises in the 'sgwc_s11_handle_downlink_data_notification_ack' function, located in 'src/sgwc/s11-handler.c'. This vulnerability can be exploited remotely, causing the SGW-C process to crash by asserting a null or stale bearer reference, which is a known issue that has already been fixed in the codebase.
Impact
Exploitation of this vulnerability leads to a process crash, causing a denial-of-service condition on the affected component.
Reproduction
The vulnerability can be reproduced by sending a delayed GTPv2-C Downlink Data Notification Acknowledgment (DDN Ack) to the SGW-C after the related bearer has been deleted. This can be done by first establishing a session and then manually deleting the bearer before sending the acknowledgment, which will trigger an assertion failure and crash the process.
Remediation
Users are advised to update to the latest version of Open5GS, where this issue has been fixed.
Added: Jan 19, 2026, 12:20 AM
Updated: Jan 19, 2026, 12:20 AM
Vulnerability Rating
Custom Algorithm
spread
1.4impact
0.8exploitability
8.7remediation
7.7relevance
2.2threat
6.4urgency
2.9incentive
8.3Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.