Cyber Resilience

CVE-2026-2062

MediumPublic PoC

Published: 06 February 2026

Published
06 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0007 21.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2062 is a medium-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Open5Gs Open5Gs. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2062 is a null pointer dereference vulnerability in Open5GS versions up to and including 2.7.6. It affects the PGW S5U Address Handler component, specifically the functions sgwc_s5c_handle_modify_bearer_response and sgwc_sxa_handle_session_modification_response. The issue, linked to CWE-404 (Improper Resource Shutdown or Release) and CWE-476 (NULL Pointer Dereference), was published on 2026-02-06.

The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating it can be exploited remotely by an unauthenticated attacker with low attack complexity and no user interaction. Successful exploitation triggers a null pointer dereference, resulting in a denial-of-service condition with low availability impact and no effects on confidentiality or integrity.

Mitigation involves applying the patch from commit f1bbd7b57f831e2a070780a7d8d5d4c73babdb59 in the Open5GS GitHub repository, which is the recommended fix. Further details are documented in GitHub issues #4257 and the related comment #3787701521.

An exploit for this vulnerability is publicly available and might be used in attacks.

EU & UK References

Vulnerability details

A vulnerability was identified in Open5GS up to 2.7.6. This affects the function sgwc_s5c_handle_modify_bearer_response/sgwc_sxa_handle_session_modification_response of the component PGW S5U Address Handler. The manipulation leads to null pointer dereference. The attack can be initiated remotely. The exploit is publicly available and…

more

might be used. The identifier of the patch is f1bbd7b57f831e2a070780a7d8d5d4c73babdb59. Applying a patch is the recommended action to fix this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Null pointer dereference in network-facing Open5GS component directly enables remote unauthenticated application crash via crafted input, matching T1499.004 Application or System Exploitation for denial-of-service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2517Same product: Open5Gs Open5Gs
CVE-2026-1521Same product: Open5Gs Open5Gs
CVE-2026-1522Same product: Open5Gs Open5Gs
CVE-2025-1893Same product: Open5Gs Open5Gs
CVE-2026-2524Same product: Open5Gs Open5Gs
CVE-2026-1587Same product: Open5Gs Open5Gs
CVE-2026-1586Same product: Open5Gs Open5Gs
CVE-2025-15529Same product: Open5Gs Open5Gs
CVE-2025-15539Same product: Open5Gs Open5Gs
CVE-2026-4240Same product: Open5Gs Open5Gs

Affected Assets

open5gs
open5gs
≤ 2.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely flaw remediation via patches such as commit f1bbd7b to eliminate the null-pointer dereference in the PGW S5U handler.

prevent

Explicitly mandates controls that protect against or limit denial-of-service conditions triggered by the remote null dereference.

prevent

Requires graceful error handling so that a null pointer in sgwc_s5c_handle_modify_bearer_response does not crash the process.

References