Open5GS is an open-source implementation of the 5G core network, widely used for research, testing, and production in mobile network infrastructures. CVE-2026-1587 identifies a denial of service (DoS) vulnerability in the SGWC (Serving Gateway Control) component, specifically within the sgwc_s11_handle_modify_bearer_request function located in the /sgwc/s11-handler.c source file. This function handles Modify Bearer Request messages over the S11 interface, which is critical for bearer management in the 5G core network. The vulnerability arises from improper handling or validation of these requests, allowing a remote attacker to craft malicious packets that cause the SGWC process to crash or become unresponsive, leading to denial of service. The attack vector requires no authentication, user interaction, or privileges, and can be executed remotely over the network. The CVSS 4.0 base score is 6.9, reflecting a medium severity level due to the lack of confidentiality, integrity, or availability impact beyond service disruption. The vulnerability affects all Open5GS versions from 2.7.0 through 2.7.6. The issue has been publicly disclosed and fixed in subsequent releases, though no confirmed exploits have been detected in the wild. Given the critical role of SGWC in 5G core networks, this vulnerability could disrupt mobile network services if exploited.

Exploitation of CVE-2026-1587 can cause denial of service in the SGWC component of Open5GS, leading to service outages or degraded performance in 5G core network operations. This disruption can affect bearer management, impacting user data sessions and potentially causing dropped connections or inability to establish new sessions. For mobile network operators and enterprises relying on Open5GS for 5G core functions, this could translate into network downtime, customer dissatisfaction, and potential financial losses. The lack of authentication or user interaction requirements increases the risk of automated or widespread attacks. While the vulnerability does not compromise data confidentiality or integrity, the availability impact on critical network infrastructure is significant. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as the exploit code is publicly available. Organizations running vulnerable Open5GS versions should consider the potential for targeted attacks aiming to disrupt service availability.

To mitigate CVE-2026-1587, organizations should promptly apply the official patches or upgrade Open5GS to versions later than 2.7.6 where the vulnerability is fixed. Network operators should implement strict filtering and validation of S11 interface traffic to block malformed or suspicious Modify Bearer Request messages. Deploying intrusion detection/prevention systems (IDS/IPS) with signatures tuned to detect anomalous S11 traffic patterns can help identify exploitation attempts. Limiting network exposure of the S11 interface to trusted entities and enforcing network segmentation reduces the attack surface. Monitoring SGWC process health and implementing automated failover or restart mechanisms can minimize downtime if an attack occurs. Regularly auditing and updating Open5GS deployments, combined with comprehensive logging and alerting on control plane anomalies, will enhance early detection and response capabilities. Finally, organizations should stay informed about updates from Open5GS maintainers and security advisories related to 5G core components.