CVE-2026-1736 – A reachable assertion vulnerability in Open5GS ... (How to Fix)

Q: What is the severity of CVE-2026-1736?

CVE-2026-1736 has a CVSS score of 5.3 (MEDIUM). A reachable assertion vulnerability in Open5GS SGWC component allows remote attackers to cause denial of service by sending specially crafted requests. This affects Open5GS deployments up to version 2.7.6 that have the SGWC component exposed. The vulnerability is in the S11 interface handling code.

📋 TL;DR

A reachable assertion vulnerability in Open5GS SGWC component allows remote attackers to cause denial of service by sending specially crafted requests. This affects Open5GS deployments up to version 2.7.6 that have the SGWC component exposed. The vulnerability is in the S11 interface handling code.

💻 Affected Systems

Products:

Open5GS

Versions: Up to and including 2.7.6

Operating Systems: Linux, Unix-based systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments with SGWC component enabled and accessible. The vulnerability is in the S11 interface handling between SGW and MME.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for SGWC component, disrupting 5G core network functionality and affecting subscriber connectivity.

🟠

Likely Case

Service disruption for the SGWC component requiring restart, potentially affecting multiple subscribers until service is restored.

🟢

If Mitigated

Minimal impact if proper network segmentation and access controls prevent unauthorized access to SGWC interfaces.

🌐 Internet-Facing: MEDIUM - Attack can be launched remotely, but SGWC interfaces should not typically be internet-facing in proper deployments.

🏢 Internal Only: HIGH - If SGWC interfaces are accessible from internal networks, attackers could disrupt critical 5G core functionality.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit has been publicly disclosed in GitHub issues. Attack requires network access to SGWC S11 interface but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.7 or later

Vendor Advisory: https://github.com/open5gs/open5gs/issues/4270

Restart Required: Yes

Instructions:

1. Update Open5GS to version 2.7.7 or later. 2. Pull latest code from GitHub repository. 3. Rebuild and reinstall Open5GS. 4. Restart all Open5GS services.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to SGWC S11 interface to only trusted MME components

iptables -A INPUT -p tcp --dport 2123 -s <trusted_mme_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 2123 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate SGWC component from untrusted networks
Deploy intrusion detection/prevention systems to monitor for exploitation attempts on S11 interface

🔍 How to Verify

Check if Vulnerable:

Check Open5GS version: open5gs --version. If version is 2.7.6 or earlier, system is vulnerable.

Check Version:

open5gs --version

Verify Fix Applied:

Verify version is 2.7.7 or later and test SGWC functionality with legitimate S11 requests.

📡 Detection & Monitoring

Log Indicators:

SGWC process crashes
Assertion failures in sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request
Unexpected S11 interface disconnections

Network Indicators:

Malformed GTP-C messages on port 2123
Unexpected traffic patterns to SGWC S11 interface

SIEM Query:

source="open5gs" AND ("assertion" OR "crash" OR "sgwc")

📊 Metadata

CVE ID: CVE-2026-1736

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-617

Published: February 2, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy