CVE-2026-1521 is a denial of service vulnerability found in Open5GS, an open-source 5G core network implementation widely used for mobile network infrastructure. The vulnerability resides in the SGWC (Serving Gateway Control) component, specifically within the function sgwc_s5c_handle_bearer_resource_failure_indication located in the source file src/sgwc/s5c-handler.c. This function handles bearer resource failure indications on the S5-C interface, which is critical for managing bearer contexts between the Serving Gateway and the Packet Data Network Gateway. Due to improper handling of certain manipulated inputs, an attacker can remotely send crafted messages that trigger a failure condition causing the SGWC process to crash or become unresponsive, resulting in denial of service. The vulnerability requires no authentication, no user interaction, and can be exploited over the network, making it relatively easy to execute. The CVSS v4.0 base score is 6.9, reflecting a medium severity level primarily due to the impact on availability and ease of exploitation. Although no known exploits in the wild have been reported at the time of publication, public exploit code is available, increasing the risk of active exploitation. The issue affects all Open5GS versions from 2.7.0 through 2.7.6. A patch has been released (commit 69b53add90a9479d7960b822fc60601d659c328b) that corrects the input handling logic to prevent the crash. Given Open5GS’s role in 5G core networks, this vulnerability could disrupt mobile network services if exploited.

The primary impact of CVE-2026-1521 is denial of service against the SGWC component of Open5GS, which can cause service outages in 5G core network infrastructure. This disruption can lead to loss of connectivity for mobile users relying on the affected network, impacting voice, data, and signaling services. For mobile network operators and service providers, this can translate into degraded user experience, potential revenue loss, and damage to reputation. Since the vulnerability can be exploited remotely without authentication, attackers can target exposed SGWC interfaces to cause widespread outages. Critical infrastructure relying on Open5GS, including private 5G deployments in enterprises, industrial environments, and public networks, may face operational disruptions. Although the vulnerability does not compromise data confidentiality or integrity, the availability impact alone is significant given the essential role of the SGWC in bearer management and session continuity. The public availability of exploit code increases the urgency for mitigation to prevent opportunistic attacks.

Organizations using Open5GS should immediately apply the official patch identified by commit 69b53add90a9479d7960b822fc60601d659c328b or upgrade to a version beyond 2.7.6 that includes the fix. Network administrators should restrict access to the SGWC S5-C interface by implementing network segmentation and firewall rules to limit exposure to trusted management and signaling networks only. Monitoring and anomaly detection should be enhanced to identify unusual bearer resource failure indications or repeated crashes of the SGWC process. Implementing redundancy and failover mechanisms for the SGWC component can reduce service disruption impact if an attack occurs. Regularly auditing and updating Open5GS deployments to the latest secure versions is critical. Additionally, operators should consider deploying intrusion prevention systems capable of detecting malformed S5-C messages that could trigger the vulnerability. Finally, maintaining an incident response plan specific to 5G core network components will help rapidly mitigate and recover from potential denial of service incidents.