CVE-2026-2524 Overview
A denial of service vulnerability has been discovered in Open5GS 2.7.6, affecting the mme_s11_handle_create_session_response function within the MME (Mobility Management Entity) component. The vulnerability allows remote attackers to cause a denial of service condition through improper resource shutdown or release. The exploit has been publicly disclosed, and the Open5GS project was notified through an issue report but has not yet responded.
Critical Impact
Remote attackers can disrupt 5G/LTE core network availability by targeting the MME component, potentially causing service outages for mobile network subscribers.
Affected Products
- Open5GS version 2.7.6
- Open5GS MME (Mobility Management Entity) component
- Systems running mme_s11_handle_create_session_response function
Discovery Timeline
- 2026-02-16 - CVE-2026-2524 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-2524
Vulnerability Analysis
This vulnerability is classified under CWE-404 (Improper Resource Shutdown or Release), indicating that the affected function fails to properly manage resource lifecycle operations. The mme_s11_handle_create_session_response function in the MME component does not correctly handle certain session response scenarios, leading to resource exhaustion or improper state management that results in denial of service.
The MME is a critical component in LTE/4G and 5G networks, responsible for signaling and control plane functions including authentication, bearer management, and mobility management. The S11 interface connects the MME to the Serving Gateway (SGW), and the create_session_response handler processes responses to session establishment requests. A flaw in this handler can disrupt the ability of the network to properly manage user sessions.
Root Cause
The root cause lies in improper resource shutdown or release (CWE-404) within the mme_s11_handle_create_session_response function. When processing malformed or unexpected session response messages, the function fails to properly release allocated resources or handle error conditions, leading to resource leaks or crashes that manifest as denial of service.
Attack Vector
The attack can be initiated remotely over the network without requiring authentication or user interaction. An attacker with network access to the MME's S11 interface can send crafted GTP-C (GPRS Tunneling Protocol - Control plane) messages that trigger the vulnerable code path in the session response handler.
The exploitation involves sending malicious Create Session Response messages to the MME component. When processed by mme_s11_handle_create_session_response, these messages cause the MME to enter an error state or exhaust resources, resulting in denial of service for legitimate network operations. For technical details regarding the vulnerability mechanism, refer to the Open5GS Issue #4284 and VulDB Entry #346112.
Detection Methods for CVE-2026-2524
Indicators of Compromise
- Unexpected MME process crashes or restarts in Open5GS logs
- Increased memory consumption or resource exhaustion on systems running Open5GS MME
- Abnormal GTP-C traffic patterns on the S11 interface
- Failed session establishment requests logged by the MME component
Detection Strategies
- Monitor Open5GS MME logs for error messages related to mme_s11_handle_create_session_response function
- Implement network-based detection for anomalous GTP-C Create Session Response messages
- Deploy intrusion detection rules to identify malformed S11 interface traffic
- Configure alerting for unexpected MME service interruptions or high restart rates
Monitoring Recommendations
- Enable verbose logging on the Open5GS MME component to capture detailed session handling events
- Monitor system resource utilization (memory, CPU) on hosts running the MME service
- Implement GTP-C protocol-aware traffic analysis on the S11 interface
- Set up automated alerts for MME process health and availability
How to Mitigate CVE-2026-2524
Immediate Actions Required
- Review the Open5GS GitHub Issue #4284 for the latest vendor response and available fixes
- Implement network segmentation to restrict access to the MME S11 interface
- Monitor for exploitation attempts using the detection strategies outlined above
- Consider deploying rate limiting on GTP-C traffic to the MME component
Patch Information
As of the last update, the Open5GS project has been notified through Issue #4284 but has not yet responded. Organizations should monitor the Open5GS GitHub repository for upcoming patches and security updates. Check for versions newer than 2.7.6 that may contain a fix for this vulnerability.
Workarounds
- Restrict network access to the MME S11 interface to trusted SGW nodes only
- Implement firewall rules to filter potentially malicious GTP-C traffic
- Deploy GTP-aware traffic inspection to detect and block malformed session response messages
- Consider running the MME in a containerized or sandboxed environment to limit the impact of crashes
# Example: Restrict S11 interface access using iptables
# Allow traffic only from trusted SGW IP addresses
iptables -A INPUT -p udp --dport 2123 -s <trusted_sgw_ip> -j ACCEPT
iptables -A INPUT -p udp --dport 2123 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
