CVE-2026-2062
Published: 06 February 2026
Summary
CVE-2026-2062 is a medium-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Open5Gs Open5Gs. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Contingency plan updates incorporate proper resource shutdown and release steps, preventing attackers from leveraging incomplete cleanup during recovery scenarios.
Mandates explicit shutdown of the network connection at session conclusion, directly addressing improper resource release.
Requires proper shutdown/release procedures that include overwriting or isolating data to block unintended transfer via reused system objects.
Procedures can mandate orderly shutdown or release of resources when failures occur, preventing improper resource handling after a fault.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Null pointer dereference in network-facing Open5GS component directly enables remote unauthenticated application crash via crafted input, matching T1499.004 Application or System Exploitation for denial-of-service.
NVD Description
A vulnerability was identified in Open5GS up to 2.7.6. This affects the function sgwc_s5c_handle_modify_bearer_response/sgwc_sxa_handle_session_modification_response of the component PGW S5U Address Handler. The manipulation leads to null pointer dereference. The attack can be initiated remotely. The exploit is publicly available and…
more
might be used. The identifier of the patch is f1bbd7b57f831e2a070780a7d8d5d4c73babdb59. Applying a patch is the recommended action to fix this issue.
Deeper analysisAI
CVE-2026-2062 is a null pointer dereference vulnerability in Open5GS versions up to and including 2.7.6. It affects the PGW S5U Address Handler component, specifically the functions sgwc_s5c_handle_modify_bearer_response and sgwc_sxa_handle_session_modification_response. The issue, linked to CWE-404 (Improper Resource Shutdown or Release) and CWE-476 (NULL Pointer Dereference), was published on 2026-02-06.
The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating it can be exploited remotely by an unauthenticated attacker with low attack complexity and no user interaction. Successful exploitation triggers a null pointer dereference, resulting in a denial-of-service condition with low availability impact and no effects on confidentiality or integrity.
Mitigation involves applying the patch from commit f1bbd7b57f831e2a070780a7d8d5d4c73babdb59 in the Open5GS GitHub repository, which is the recommended fix. Further details are documented in GitHub issues #4257 and the related comment #3787701521.
An exploit for this vulnerability is publicly available and might be used in attacks.
Details
- CWE(s)