CVE-2026-1736 identifies a reachable assertion vulnerability in Open5GS, an open-source 5G core network implementation widely used by telecom operators and research institutions. The flaw resides in the SGWC (Serving Gateway Control) component, specifically within the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request located in /src/sgwc/s11-handler.c. This function handles requests related to indirect data forwarding tunnels over the S11 interface, which is critical for user plane data forwarding in 5G networks. An attacker can remotely send crafted messages to this function, triggering an assertion failure that causes the process to terminate unexpectedly. This results in a denial of service condition, disrupting the availability of the affected network function. The vulnerability requires no authentication or user interaction, making it easier to exploit remotely. The issue affects Open5GS versions 2.7.0 through 2.7.6, and a fix has been released in subsequent versions. While no active exploitation has been observed, the public disclosure of the exploit code increases the risk of opportunistic attacks. The CVSS 4.0 vector indicates a network attack vector (AV:N), low attack complexity (AC:L), no privileges or user interaction required, and limited impact on availability (VA:L), resulting in a medium severity rating with a score of 6.9.

The primary impact of CVE-2026-1736 is the potential for denial of service against Open5GS SGWC components, which are integral to 5G core network operations. Disruption of the SGWC can interrupt user plane data forwarding, leading to degraded or lost connectivity for mobile subscribers. This can affect telecom operators' ability to maintain continuous service, impacting customer experience and potentially causing financial losses. Additionally, denial of service in core network functions can have cascading effects on dependent services and applications. Since the vulnerability can be exploited remotely without authentication, attackers can launch attacks from anywhere on the internet, increasing the threat surface. Organizations relying on Open5GS for 5G network infrastructure, including research labs, private networks, and smaller operators, are at risk. Although the vulnerability does not directly lead to data confidentiality or integrity breaches, the availability impact on critical telecom infrastructure is significant. The medium severity rating reflects these factors, emphasizing the need for timely patching to maintain network reliability.

Organizations should immediately upgrade Open5GS deployments to versions later than 2.7.6 where the vulnerability is patched. If upgrading is not immediately feasible, network administrators should implement strict filtering and validation of S11 interface traffic to block malformed or suspicious packets that could trigger the assertion. Deploying intrusion detection or prevention systems (IDS/IPS) with signatures tuned to detect exploitation attempts against this vulnerability can provide additional protection. Network segmentation should be enforced to isolate core network functions from untrusted networks, reducing exposure. Regular monitoring of SGWC logs and system health can help detect early signs of exploitation or instability. Operators should also review and harden their overall 5G core network security posture, including applying the latest security patches for all components. Coordination with Open5GS community and vendors for timely updates and advisories is recommended. Finally, conducting penetration testing and vulnerability assessments focused on 5G core components can help identify residual risks.