Cyber Resilience

CVE-2026-2521

MediumPublic PoC

Published: 15 February 2026

Published
15 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0068 47.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2521 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Open5Gs Open5Gs. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 47.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-2521 is a memory corruption vulnerability (CWE-119) in Open5GS versions up to and including 2.7.6. The issue resides in the sgwc_s5c_handle_create_session_response function within the SGW-C component. It has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating medium severity primarily due to its potential for remote denial-of-service impacts.

The vulnerability can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation triggers memory corruption, resulting in limited availability disruption, such as crashes or service degradation in the affected SGW-C process. A public exploit is available, enabling potential attacks against exposed Open5GS deployments.

References, including GitHub issues #4282 and related comments in the open5gs/open5gs repository, indicate the project was notified early via an issue report but has not yet responded or issued patches. VulDB entries (ctiid.346109 and id.346109) document the flaw but provide no additional mitigation guidance.

Notable context includes the public availability of an exploit, which could facilitate real-world attacks on unpatched 5G core network implementations using Open5GS. No evidence of active exploitation in the wild is reported.

EU & UK References

Vulnerability details

A weakness has been identified in Open5GS up to 2.7.6. This issue affects the function sgwc_s5c_handle_create_session_response of the component SGW-C. Executing a manipulation can lead to memory corruption. The attack may be performed from remote. The exploit has been made…

more

available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Memory corruption vulnerability in exposed network service (SGW-C) directly enables remote exploitation causing process crash/DoS, matching T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2522Same product: Open5Gs Open5Gs
CVE-2026-1587Same product: Open5Gs Open5Gs
CVE-2023-37017Same product: Open5Gs Open5Gs
CVE-2025-15529Same product: Open5Gs Open5Gs
CVE-2026-1521Same product: Open5Gs Open5Gs
CVE-2023-37014Same product: Open5Gs Open5Gs
CVE-2025-15532Same product: Open5Gs Open5Gs
CVE-2025-15539Same product: Open5Gs Open5Gs
CVE-2026-2062Same product: Open5Gs Open5Gs
CVE-2023-37015Same product: Open5Gs Open5Gs

Affected Assets

open5gs
open5gs
≤ 2.7.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces memory protection mechanisms that would block the memory corruption triggered in sgwc_s5c_handle_create_session_response.

prevent

Requires validation of inputs to the SGW-C session handling function, addressing the root cause of the CWE-119 flaw before corruption occurs.

prevent

Restricts remote network access to the exposed SGW-C component, reducing the attack surface for unauthenticated exploitation of the public vulnerability.

References