CVE-2026-2521 Overview
A memory corruption vulnerability has been identified in Open5GS, an open-source implementation of 5G Core and EPC (Evolved Packet Core). This issue affects the function sgwc_s5c_handle_create_session_response within the SGW-C (Serving Gateway Control Plane) component. The vulnerability allows remote attackers to trigger memory corruption through specially crafted network requests, potentially leading to denial of service conditions.
Critical Impact
Remote attackers can exploit this memory corruption vulnerability in the Open5GS SGW-C component to disrupt 5G/LTE core network services, potentially affecting mobile network availability.
Affected Products
- Open5GS versions up to and including 2.7.6
- SGW-C (Serving Gateway Control Plane) component
- Systems running Open5GS-based 5G Core or EPC deployments
Discovery Timeline
- 2026-02-15 - CVE-2026-2521 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-2521
Vulnerability Analysis
This vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). The flaw exists in the sgwc_s5c_handle_create_session_response function, which is responsible for handling GTPv2-C (GPRS Tunneling Protocol version 2 Control Plane) session response messages in the SGW-C component. When processing malformed or crafted session response messages, the function fails to properly validate memory boundaries, leading to memory corruption.
The SGW-C component is a critical element in both 4G LTE and 5G Non-Standalone (NSA) network architectures, handling control plane signaling for user session management. An exploit targeting this vulnerability could impact mobile network operations by corrupting memory state within the control plane processing.
The vulnerability has been publicly disclosed through a GitHub issue report, and exploit details have been made available publicly. The Open5GS project was notified early but has not yet responded to the report.
Root Cause
The root cause of this vulnerability lies in improper bounds checking within the sgwc_s5c_handle_create_session_response function. When processing GTPv2-C Create Session Response messages, the function does not adequately validate input parameters or buffer sizes before performing memory operations. This boundary condition error allows an attacker to manipulate message contents in a way that triggers out-of-bounds memory access.
Attack Vector
The attack can be performed remotely over the network. An attacker with network access to the SGW-C interface can send specially crafted GTPv2-C session response messages to exploit this vulnerability. The attack does not require authentication or user interaction.
The exploitation mechanism involves sending malformed Create Session Response messages to the SGW-C component's S5/S8 interface. These messages contain manipulated fields that cause the vulnerable function to perform improper memory operations, resulting in memory corruption that can lead to service disruption.
For detailed technical analysis and proof-of-concept information, refer to the GitHub issue discussion and VulDB entry.
Detection Methods for CVE-2026-2521
Indicators of Compromise
- Unexpected crashes or restarts of the Open5GS SGW-C process (open5gs-sgwcd)
- Memory-related error messages in SGW-C logs indicating buffer overflows or corruption
- Abnormal GTPv2-C traffic patterns targeting the S5/S8 interface
- Core dumps generated by the SGW-C component showing memory corruption signatures
Detection Strategies
- Monitor Open5GS SGW-C process stability and implement alerting for unexpected service restarts
- Deploy network intrusion detection rules to identify malformed GTPv2-C Create Session Response messages
- Implement deep packet inspection on S5/S8 interfaces to detect anomalous session handling patterns
- Enable verbose logging for the sgwc_s5c_handle_create_session_response function to capture suspicious activity
Monitoring Recommendations
- Configure process monitoring to track SGW-C resource utilization and detect memory anomalies
- Implement GTPv2-C protocol validation at network boundaries to filter malformed messages
- Set up log aggregation and analysis for Open5GS components to identify exploitation attempts
- Monitor for unusual traffic volume or connection patterns targeting the SGW-C S5/S8 interface
How to Mitigate CVE-2026-2521
Immediate Actions Required
- Review the GitHub issue #4282 for the latest updates from the Open5GS project
- Implement network-level filtering to restrict access to SGW-C interfaces from untrusted sources
- Consider deploying additional monitoring on Open5GS SGW-C components
- Evaluate temporary isolation of affected SGW-C instances until a patch is available
Patch Information
As of the last update, the Open5GS project has not yet released an official patch for this vulnerability. The project was informed of the issue through a GitHub issue report but has not responded. Users should monitor the Open5GS GitHub repository for security updates and patches.
SentinelOne customers can leverage Singularity XDR to detect suspicious activity targeting Open5GS deployments and receive real-time threat intelligence updates as patches become available.
Workarounds
- Restrict network access to SGW-C S5/S8 interfaces using firewall rules to limit exposure to trusted network elements only
- Deploy GTPv2-C protocol-aware firewalls or filters to validate and sanitize incoming session response messages
- Implement rate limiting on SGW-C interfaces to reduce the impact of potential exploitation attempts
- Consider deploying Open5GS in a containerized environment with memory limits to contain potential memory corruption impacts
# Example: iptables rules to restrict S5/S8 interface access
# Allow only trusted PGW/SMF IP addresses to connect to SGW-C
iptables -A INPUT -p udp --dport 2123 -s <trusted_pgw_ip> -j ACCEPT
iptables -A INPUT -p udp --dport 2123 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
