CVE-2026-1736: Open5GS SGWC RCE Vulnerability

CVE-2026-1736 Overview

A reachable assertion vulnerability has been discovered in Open5GS up to version 2.7.6, affecting the Serving Gateway Control Plane (SGWC) component. The vulnerability exists in the sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request function within the /src/sgwc/s11-handler.c file. This flaw allows remote attackers to trigger an assertion failure, causing a denial of service condition in the affected 5G/LTE core network infrastructure.

Critical Impact

Remote attackers can exploit this vulnerability to disrupt 5G/LTE mobile network core services by triggering a reachable assertion in the SGWC component, potentially causing service outages for connected mobile devices.

Affected Products

• Open5GS versions up to 2.7.6
• SGWC (Serving Gateway Control Plane) component
• Systems utilizing the S11 interface handler

Discovery Timeline

• February 2, 2026 - CVE-2026-1736 published to NVD
• February 3, 2026 - Last updated in NVD database

Technical Details for CVE-2026-1736

Vulnerability Analysis

This vulnerability is classified as CWE-617 (Reachable Assertion), a type of denial of service flaw where assertion code that should only be triggered during development or testing can be reached by attackers in production environments. In Open5GS, the vulnerable function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request processes GTPv2-C (GPRS Tunnelling Protocol version 2 for the Control plane) messages on the S11 interface between the MME (Mobility Management Entity) and SGW-C.

When a maliciously crafted create indirect data forwarding tunnel request message is sent to the SGWC component, the code path reaches an assertion that terminates the process. The exploit has been disclosed publicly and the issue has been flagged as already-fixed by the Open5GS project maintainers.

Root Cause

The root cause lies in inadequate input validation in the S11 handler code. The sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request function contains an assertion statement that can be triggered through specially crafted network input. In production code, assertions should either be disabled or replaced with proper error handling that gracefully rejects malformed requests rather than terminating the process.

Attack Vector

The attack can be launched remotely over the network without requiring authentication or user interaction. An attacker with network access to the S11 interface can send specially crafted GTPv2-C messages to the SGWC component. When the vulnerable function processes these malformed requests, the assertion condition is triggered, causing the SGWC process to terminate abruptly. This results in a denial of service affecting the mobile core network's ability to handle subscriber sessions and data forwarding operations.

The vulnerability can be exploited by sending malformed Create Indirect Data Forwarding Tunnel Request messages to the SGWC component's S11 interface. The handler function fails to properly validate input parameters before reaching an assertion statement, allowing attackers to crash the service. Technical details and the exploit methodology have been documented in GitHub Open5GS Issue #4270.

Detection Methods for CVE-2026-1736

Indicators of Compromise

• Unexpected SGWC process crashes or restarts in Open5GS deployments
• Assertion failure messages in SGWC logs referencing s11-handler.c
• Anomalous GTPv2-C traffic patterns targeting the S11 interface
• Service disruptions affecting indirect data forwarding tunnel operations

Detection Strategies

• Monitor Open5GS process stability and implement alerting for unexpected SGWC terminations
• Analyze GTPv2-C traffic for malformed Create Indirect Data Forwarding Tunnel Request messages
• Deploy network intrusion detection rules to identify exploitation attempts targeting the S11 interface
• Review system logs for assertion failure indicators in the SGWC component

Monitoring Recommendations

• Implement process monitoring with automatic restart capabilities for SGWC services
• Enable detailed logging for the S11 interface handler to capture malformed request patterns
• Deploy network traffic analysis at GTP interface boundaries to detect anomalous signaling
• Set up alerting thresholds for SGWC crash frequency that may indicate active exploitation

How to Mitigate CVE-2026-1736

Immediate Actions Required

• Upgrade Open5GS to the latest patched version beyond 2.7.6
• Implement network segmentation to restrict S11 interface access to trusted MME nodes only
• Enable rate limiting on GTPv2-C signaling interfaces to reduce exploitation impact
• Configure process supervision to automatically restart SGWC services after crashes

Patch Information

The Open5GS project has flagged this issue as already-fixed. Organizations running affected versions should update to the latest release that includes the security patch. The fix addresses the reachable assertion by implementing proper input validation and error handling in the sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request function. For patch details, refer to the GitHub Open5GS Repository and the related issue discussion.

Workarounds

• Restrict network access to the S11 interface using firewall rules to allow only authorized MME connections
• Implement a process supervisor (such as systemd with restart policies) to minimize service downtime
• Deploy a network-level GTP firewall to filter and validate GTPv2-C messages before they reach SGWC
• Consider running multiple SGWC instances with load balancing to maintain availability during individual instance crashes

# Configuration example - Restrict S11 interface access with iptables
# Allow only authorized MME IP addresses to communicate with SGWC S11 interface
iptables -A INPUT -p udp --dport 2123 -s <AUTHORIZED_MME_IP> -j ACCEPT
iptables -A INPUT -p udp --dport 2123 -j DROP

# Configure systemd restart policy for SGWC
# Add to /etc/systemd/system/open5gs-sgwcd.service.d/override.conf
# [Service]
# Restart=always
# RestartSec=5