CVE-2026-2522
Published: 16 February 2026
Summary
CVE-2026-2522 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Open5Gs Open5Gs. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 30.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Provides memory protection safeguards that directly mitigate memory corruption vulnerabilities like CWE-119 in the MME component by preventing unauthorized code execution or modification.
Mandates timely flaw remediation through patching unpatched vulnerabilities such as CVE-2026-2522 in Open5GS to eliminate the memory corruption risk.
Implements denial-of-service protections to limit the impact of remote unauthenticated exploits causing service crashes via memory corruption.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote unauthenticated attackers to cause denial-of-service via memory corruption in the Open5GS MME service, directly mapping to application exploitation for endpoint DoS.
NVD Description
A security vulnerability has been detected in Open5GS up to 2.7.6. Impacted is an unknown function of the file /src/mme/esm-build.c of the component MME. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The exploit…
more
has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-2522 is a memory corruption vulnerability (CWE-119) affecting Open5GS versions up to 2.7.6, specifically an unknown function in the file /src/mme/esm-build.c within the MME component. Assigned a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), the issue enables manipulation that disrupts availability through memory corruption.
The vulnerability can be exploited remotely by unauthenticated attackers with no privileges required, low attack complexity, and no user interaction needed. Successful exploitation results in limited denial-of-service impact, such as service crashes or disruptions due to memory corruption, without affecting confidentiality or integrity.
References, including GitHub issues #4283 and related comments in the Open5GS repository, indicate the project was notified early via an issue report but has not yet responded or issued patches. VulDB entries confirm public disclosure of the exploit, which may be actively used by attackers. No mitigations or fixes are currently available from the vendor.
Details
- CWE(s)