CVE-2026-1587 identifies a denial of service (DoS) vulnerability in Open5GS, an open-source 5G core network implementation widely used for mobile network infrastructure. The vulnerability resides in the SGWC (Serving Gateway Control) component, specifically within the sgwc_s11_handle_modify_bearer_request function in the /sgwc/s11-handler.c source file. This function handles Modify Bearer Request messages over the S11 interface, which is critical for bearer management between the Mobility Management Entity (MME) and Serving Gateway (SGW). Due to improper handling or validation of these requests, a remote attacker can craft malicious Modify Bearer Request messages that cause the SGWC process to crash or become unresponsive, resulting in a denial of service. The attack vector is network-based and does not require any authentication or user interaction, making it relatively easy to exploit if the attacker can reach the vulnerable interface. The vulnerability affects all Open5GS versions from 2.7.0 through 2.7.6. The issue has been publicly disclosed with patches available, and the vulnerability is flagged as fixed in subsequent releases. The CVSS 4.0 base score of 6.9 reflects a medium severity rating, primarily due to the impact on availability and the ease of remote exploitation without privileges. No known exploits have been reported in the wild at this time, but the public disclosure increases the risk of exploitation attempts. This vulnerability can disrupt 5G core network operations, potentially impacting mobile service continuity and quality.

For European organizations, especially telecom operators and mobile network providers deploying Open5GS as part of their 5G core infrastructure, this vulnerability poses a risk of service disruption. A successful denial of service attack could lead to outages or degraded performance in 5G bearer management, affecting subscriber connectivity and quality of service. This could result in customer dissatisfaction, regulatory scrutiny, and financial losses. Critical infrastructure relying on 5G connectivity, such as emergency services, IoT deployments, and industrial automation, could also be indirectly impacted. Given the increasing adoption of Open5GS in private and public 5G networks across Europe, the potential for widespread impact exists if patches are not applied promptly. The vulnerability does not compromise confidentiality or integrity but threatens availability, which is crucial for telecom operations. The absence of required authentication and user interaction lowers the barrier for attackers, increasing the urgency for mitigation.

European organizations should immediately verify their Open5GS deployments and upgrade to the latest patched version beyond 2.7.6 where this vulnerability is fixed. Network segmentation and strict access controls should be enforced to limit exposure of the S11 interface to trusted entities only, reducing the attack surface. Deploying intrusion detection/prevention systems (IDS/IPS) with signatures or anomaly detection for malformed Modify Bearer Requests can help detect and block exploitation attempts. Regular monitoring of SGWC logs and system health metrics should be implemented to identify early signs of exploitation or service degradation. Organizations should also conduct penetration testing and vulnerability assessments focused on 5G core components to ensure no residual weaknesses remain. Coordination with vendors and participation in threat intelligence sharing forums can provide timely updates on emerging exploits or patches. Finally, incident response plans should be updated to address potential 5G core network DoS scenarios.