Cyber Resilience

CVE-2026-2523

MediumPublic PoC

Published: 16 February 2026

Published
16 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0012 30.3th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2523 is a medium-severity Reachable Assertion (CWE-617) vulnerability in Open5Gs Open5Gs. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2523 is a vulnerability in Open5GS versions up to 2.7.6, affecting the SMF component. Specifically, the issue resides in the function smf_gn_handle_create_pdp_context_request within the file /src/smf/gn-handler.c. The flaw leads to a reachable assertion, classified under CWE-617, with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating medium severity primarily due to low-impact availability disruption.

The vulnerability can be exploited remotely by unauthenticated attackers over the network with low complexity and no user interaction required. Successful exploitation triggers the assertion, resulting in a denial-of-service condition that impairs the availability of the affected SMF component.

References point to the Open5GS GitHub repository and issue #4285, where the project was informed early via an issue report but has not yet responded. No patches or official mitigations are mentioned in the available advisories from sources like VulDB. The exploit is public and may be used.

Notable context includes the public availability of the exploit, with no reported real-world exploitation at the time of publication on 2026-02-16.

EU & UK References

Vulnerability details

A vulnerability was detected in Open5GS up to 2.7.6. The affected element is the function smf_gn_handle_create_pdp_context_request of the file /src/smf/gn-handler.c of the component SMF. The manipulation results in reachable assertion. It is possible to launch the attack remotely. The exploit…

more

is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Reachable assertion (CWE-617) in network-exposed SMF handler allows unauthenticated remote crash, directly matching application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-24430Same product: Open5Gs Open5Gs
CVE-2024-34235Same product: Open5Gs Open5Gs
CVE-2023-37021Same product: Open5Gs Open5Gs
CVE-2024-24427Same product: Open5Gs Open5Gs
CVE-2024-24428Same product: Open5Gs Open5Gs
CVE-2023-37015Same product: Open5Gs Open5Gs
CVE-2023-37016Same product: Open5Gs Open5Gs
CVE-2023-37017Same product: Open5Gs Open5Gs
CVE-2025-15530Same product: Open5Gs Open5Gs
CVE-2023-37018Same product: Open5Gs Open5Gs

Affected Assets

open5gs
open5gs
≤ 2.7.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Input validation on GTP-C create PDP context messages would reject malformed data before it reaches smf_gn_handle_create_pdp_context_request and triggers the reachable assertion.

prevent

Denial-of-service protection mechanisms (rate limiting, traffic scrubbing) directly block exploitation of the public remote assertion trigger that impairs SMF availability.

prevent

Robust error handling would replace the fatal assertion with graceful failure, preventing the availability impact from the CWE-617 flaw in gn-handler.c.

References