CVE-2026-1737 Overview
A denial of service vulnerability has been identified in Open5GS, an open source implementation of 5G Core and LTE EPC networks. The vulnerability exists in the function sgwc_s5c_handle_create_bearer_request within the file /src/sgwc/s5c-handler.c, which handles CreateBearerRequest messages in the SGW-C (Serving Gateway Control Plane) component. The flaw allows remote attackers to trigger a reachable assertion, causing the affected service to crash.
This vulnerability affects the 4G/5G mobile network infrastructure component responsible for bearer management in LTE networks. The exploit is publicly available, increasing the risk of active exploitation against vulnerable deployments.
Critical Impact
Remote attackers can crash the SGW-C component of Open5GS deployments, disrupting mobile network services and bearer session management.
Affected Products
- Open5GS up to version 2.7.6
- SGW-C (Serving Gateway Control Plane) component
- Systems utilizing the CreateBearerRequest Handler functionality
Discovery Timeline
- 2026-02-02 - CVE CVE-2026-1737 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2026-1737
Vulnerability Analysis
This vulnerability is classified as CWE-617 (Reachable Assertion), a condition where an assertion statement in the code can be triggered by external input, leading to program termination. In the context of Open5GS, the vulnerable function sgwc_s5c_handle_create_bearer_request fails to properly validate incoming CreateBearerRequest messages before processing them.
The SGW-C component is a critical element of LTE EPC architecture, responsible for routing and forwarding user data packets. When a malformed or unexpected CreateBearerRequest is received via the S5-C interface (GTP-C protocol), the assertion condition is triggered, causing the service to abort.
The attack can be performed remotely over the network without authentication requirements. While the vulnerability does not allow for code execution or data compromise, it poses a significant availability risk to mobile network infrastructure.
Root Cause
The root cause of this vulnerability lies in insufficient input validation in the sgwc_s5c_handle_create_bearer_request function. The code contains an assertion that can be reached with specially crafted network input, violating the assumption that certain conditions would never occur during normal operation. When the assertion fails, the process terminates abnormally.
Assertions are typically used during development to catch programming errors but should not be reachable through external input in production code. The failure to sanitize or validate incoming CreateBearerRequest parameters before the assertion check creates this exploitable condition.
Attack Vector
The vulnerability is exploited via network-based attacks targeting the S5-C interface of the SGW-C component. An attacker with network access to the GTP-C interface can send a specially crafted CreateBearerRequest message that triggers the assertion failure.
The attack does not require prior authentication or user interaction. The attacker needs only network connectivity to the vulnerable Open5GS component, which may be exposed in mobile network deployments. Upon receiving the malicious request, the SGW-C process terminates, disrupting active bearer sessions and potentially affecting mobile network subscribers.
For detailed technical information about this vulnerability, refer to the GitHub Open5GS Issue #4271 where the vulnerability is documented and tracked.
Detection Methods for CVE-2026-1737
Indicators of Compromise
- Unexpected termination or crash of the SGW-C (open5gs-sgwcd) process
- Core dump files generated by assertion failures in s5c-handler.c
- Abnormal GTP-C traffic patterns on the S5-C interface containing malformed CreateBearerRequest messages
- Service restart events correlated with incoming GTP-C traffic
Detection Strategies
- Monitor SGW-C process stability and implement alerting for unexpected service terminations
- Deploy network intrusion detection rules to identify anomalous GTP-C CreateBearerRequest message patterns
- Analyze system logs for assertion failure messages referencing sgwc_s5c_handle_create_bearer_request
- Implement GTP-C protocol inspection at network boundaries to filter malformed messages
Monitoring Recommendations
- Enable detailed logging for the SGW-C component to capture CreateBearerRequest processing events
- Configure process monitoring and automatic restart mechanisms for the open5gs-sgwcd service
- Establish baseline metrics for GTP-C message rates and alert on significant deviations
- Monitor for repeated service restarts that may indicate active exploitation attempts
How to Mitigate CVE-2026-1737
Immediate Actions Required
- Update Open5GS to a patched version that addresses the reachable assertion vulnerability
- Implement network segmentation to restrict access to the S5-C interface from untrusted networks
- Deploy GTP-C protocol filtering at network perimeters to block malformed messages
- Enable service auto-restart mechanisms to minimize disruption during potential attacks
Patch Information
The vulnerability has been flagged as already-fixed by the Open5GS maintainers. Users should upgrade to the latest version of Open5GS that contains the security patch. The fix addresses the assertion handling in the sgwc_s5c_handle_create_bearer_request function to properly validate incoming requests before processing.
Refer to the GitHub Open5GS Repository for the latest release containing the security fix. Additional details about the fix can be found in the GitHub issue tracking this vulnerability.
Workarounds
- Restrict network access to the SGW-C S5-C interface using firewall rules to allow only trusted peer nodes
- Implement rate limiting on GTP-C interfaces to reduce the impact of potential attack attempts
- Deploy a GTP-C aware firewall or deep packet inspection system to filter malicious requests
- Consider running SGW-C in a containerized environment with automatic restart policies
# Example firewall rule to restrict S5-C interface access (adapt ports/IPs as needed)
iptables -A INPUT -p udp --dport 2123 -s <trusted_pgw_ip> -j ACCEPT
iptables -A INPUT -p udp --dport 2123 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
