CVE-2026-2521 is a memory corruption vulnerability identified in Open5GS, an open-source 5G core network implementation widely used by telecom operators and researchers. The issue resides in the sgwc_s5c_handle_create_session_response function within the Serving Gateway Control Plane (SGW-C) component. This function handles session creation responses over the S5-C interface, which is critical for managing user session data between the Serving Gateway and the Packet Data Network Gateway. Improper handling or manipulation of input data in this function can lead to memory corruption, potentially causing crashes, denial of service, or arbitrary code execution. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing the risk profile. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of remote exploitation but limited impact scope due to the absence of privilege escalation or confidentiality/integrity violations beyond memory corruption. The vulnerability affects all Open5GS versions from 2.7.0 through 2.7.6. Although the Open5GS project was notified early, no official patch or response has been released at the time of publication. Public exploit code is available, which could facilitate attacks by malicious actors targeting telecom infrastructure using Open5GS. The lack of vendor response and patch availability increases the urgency for operators to implement interim mitigations and monitor for exploitation attempts.

The vulnerability impacts the core network infrastructure of 5G deployments using Open5GS, specifically the Serving Gateway Control Plane responsible for session management. Exploitation can lead to memory corruption, which may cause service disruption through crashes or denial of service, impacting network availability. In worst cases, attackers might achieve arbitrary code execution, threatening the integrity and confidentiality of network functions and user data. Given that Open5GS is used globally in both production and research environments, the threat could affect telecom operators, private 5G networks, and enterprises deploying Open5GS-based solutions. Disruption of 5G core network components can degrade service quality, interrupt subscriber connectivity, and potentially expose sensitive subscriber information. The availability of public exploit code lowers the barrier for attackers, increasing the likelihood of targeted attacks. The absence of authentication and user interaction requirements further broadens the attack surface. Overall, this vulnerability poses a significant risk to the stability and security of 5G networks relying on Open5GS, with potential cascading effects on dependent services and applications.

1. Immediate mitigation should focus on network-level protections such as firewall rules and access control lists to restrict access to the SGW-C S5-C interface from untrusted networks, limiting exposure to potential attackers. 2. Deploy intrusion detection and prevention systems (IDS/IPS) with signatures or heuristics to detect anomalous or malformed session creation response messages targeting the vulnerable function. 3. Monitor network logs and traffic for unusual patterns or crashes related to the SGW-C component to identify exploitation attempts early. 4. Engage with the Open5GS community and maintain awareness of updates or patches addressing this vulnerability; apply official patches promptly once released. 5. Consider deploying application-layer mitigations such as input validation or sandboxing around the affected function if feasible within the Open5GS codebase. 6. For operators running Open5GS in production, plan for rapid incident response and recovery procedures to minimize downtime in case of exploitation. 7. Evaluate alternative 5G core implementations or vendor-supported solutions with active security maintenance if patching is delayed. 8. Conduct regular security assessments and penetration testing focusing on 5G core network components to identify and remediate similar vulnerabilities proactively.