Open5GS is an open-source implementation of the 5G core network, widely used for research, testing, and some production environments. CVE-2026-1522 affects the SGWC (Serving Gateway Control) component, specifically the function sgwc_s5c_handle_modify_bearer_response located in src/sgwc/s5c-handler.c. This function handles modify bearer response messages on the S5 interface, which is critical for managing bearer sessions in the 5G core. The vulnerability arises from improper handling of these messages, allowing a remote attacker to craft malicious packets that cause the SGWC process to crash or become unresponsive, resulting in denial of service. The attack vector is network-based with no authentication or user interaction required, making it relatively easy to exploit. The vulnerability affects all Open5GS versions from 2.7.0 through 2.7.6. The issue has been publicly disclosed with a CVSS v4.0 score of 6.9 (medium severity), reflecting the moderate impact and ease of exploitation. A patch (commit b19cf6a) has been released to fix the flaw by improving input validation and error handling in the affected function. No known active exploitation campaigns have been reported, but the availability of a public exploit increases the risk of opportunistic attacks.

The primary impact of CVE-2026-1522 is denial of service against the SGWC component of Open5GS, which can disrupt 5G core network operations. This disruption can lead to loss of connectivity for subscribers relying on the affected network, impacting voice, data, and signaling services. For organizations deploying Open5GS in production or test environments, this could result in service outages, degraded network performance, and potential reputational damage. Since the vulnerability can be exploited remotely without authentication, attackers can target exposed 5G core network interfaces to cause outages. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact on critical network infrastructure can have cascading effects on dependent services and users. The risk is higher for operators and enterprises using Open5GS as part of their 5G core infrastructure, especially if the affected versions are exposed to untrusted networks without adequate perimeter defenses.

Organizations should immediately apply the patch identified as commit b19cf6a that fixes the vulnerability in Open5GS versions 2.7.0 through 2.7.6. If patching is not immediately possible, network administrators should restrict access to the SGWC interfaces, especially the S5 interface, using firewalls or network segmentation to limit exposure to untrusted networks. Monitoring network traffic for anomalous or malformed modify bearer response messages can help detect attempted exploitation. Deploying intrusion detection or prevention systems with signatures targeting this vulnerability can provide additional protection. Regularly updating Open5GS to the latest stable version ensures that all known vulnerabilities are addressed. Additionally, organizations should implement robust logging and alerting on core network components to quickly identify and respond to service disruptions. Conducting security assessments and penetration testing on 5G core deployments can help identify similar weaknesses proactively.