CVE-2026-2521 identifies a memory corruption vulnerability in the Open5GS project, an open-source implementation of 5G core network components. The issue resides in the SGW-C (Serving Gateway Control plane) component, specifically within the function sgwc_s5c_handle_create_session_response. This function handles session creation responses over the S5-C interface, which is critical for managing user sessions in the 5G core network. The vulnerability allows an attacker to remotely manipulate inputs to this function, causing memory corruption that could lead to denial of service or potentially arbitrary code execution, depending on the exploitation specifics. The attack vector is network-based, requiring no authentication or user interaction, increasing the risk profile. The vulnerability affects all Open5GS versions from 2.7.0 through 2.7.6. Although the Open5GS project was notified early, no patch or official response has been released at the time of publication. The CVSS 4.0 score is 6.9 (medium severity), reflecting the ease of remote exploitation but limited impact scope and no known exploits in the wild. Open5GS is increasingly used by telecom operators and enterprises for private and public 5G core deployments due to its open-source nature and flexibility. This vulnerability thus poses a risk to the integrity and availability of 5G core network functions, potentially disrupting mobile services or enabling further attacks within the network infrastructure.

For European organizations, the impact of CVE-2026-2521 can be significant, especially for telecom operators and enterprises deploying Open5GS-based 5G core networks. Exploitation could lead to memory corruption in the SGW-C component, resulting in service disruptions such as dropped sessions, degraded network performance, or denial of service. This can affect end-user connectivity and critical services relying on 5G networks, including IoT, industrial automation, and emergency communications. Additionally, if exploited for arbitrary code execution, attackers could gain control over core network functions, leading to data breaches, traffic interception, or further lateral movement within the network. The lack of authentication and user interaction requirements lowers the barrier for attackers, increasing the threat level. Given the strategic importance of 5G infrastructure in Europe’s digital economy and critical services, this vulnerability could have cascading effects on national security and economic activities. Organizations using Open5GS must consider the risk of targeted attacks by advanced threat actors seeking to disrupt or surveil 5G communications.

1. Monitor the Open5GS project and related security advisories closely for official patches or updates addressing CVE-2026-2521 and apply them immediately upon release. 2. Until patches are available, implement network-level protections such as firewall rules and intrusion detection/prevention systems (IDS/IPS) to restrict and monitor traffic to the SGW-C interfaces, particularly the S5-C interface. 3. Employ strict network segmentation to isolate 5G core network components from other enterprise or public networks, minimizing exposure to external attackers. 4. Conduct regular security assessments and fuzz testing on Open5GS deployments to detect anomalous behavior or potential exploitation attempts. 5. Enhance logging and monitoring of SGW-C component activities to identify suspicious session creation responses or memory anomalies. 6. Limit access to management interfaces and ensure strong authentication and authorization controls are in place. 7. Engage with telecom vendors and open-source communities to share threat intelligence and coordinate response efforts. 8. Prepare incident response plans specific to 5G core network compromises, including rapid containment and recovery procedures.