Cyber Resilience

CVE-2026-2524

MediumPublic PoC

Published: 16 February 2026

Published
16 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 14.1th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2524 is a medium-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Open5Gs Open5Gs. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-2524 is a vulnerability in Open5GS version 2.7.6, affecting the mme_s11_handle_create_session_response function within the MME component. The flaw enables a denial of service condition through improper resource handling, classified under CWE-404.

An unauthenticated remote attacker can exploit this vulnerability with low attack complexity, as reflected in its CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Exploitation disrupts availability to a low degree without impacting confidentiality or integrity.

The Open5GS project was notified early via GitHub issue #4284 but has not responded as of the CVE publication on 2026-02-16. An exploit has been published and may be used, with further details available in the project's GitHub repository (https://github.com/open5gs/open5gs/) and VulDB entries (https://vuldb.com/?ctiid.346112, https://vuldb.com/?id.346112). No patches or specific mitigations are detailed in the available references.

EU & UK References

Vulnerability details

A flaw has been found in Open5GS 2.7.6. The impacted element is the function mme_s11_handle_create_session_response of the component MME. This manipulation causes denial of service. The attack can be initiated remotely. The exploit has been published and may be used.…

more

The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated exploitation of improper resource handling (CWE-404) in MME component directly enables application/system crash for availability impact, matching T1499.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1587Same product: Open5Gs Open5Gs
CVE-2026-1586Same product: Open5Gs Open5Gs
CVE-2026-1522Same product: Open5Gs Open5Gs
CVE-2026-1521Same product: Open5Gs Open5Gs
CVE-2026-4240Same product: Open5Gs Open5Gs
CVE-2025-15529Same product: Open5Gs Open5Gs
CVE-2025-1925Same product: Open5Gs Open5Gs
CVE-2025-1893Same product: Open5Gs Open5Gs
CVE-2026-2517Same product: Open5Gs Open5Gs
CVE-2025-15539Same product: Open5Gs Open5Gs

Affected Assets

open5gs
open5gs
2.7.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires mechanisms to protect against or limit the effects of denial-of-service attacks targeting the MME's session-handling path.

prevent

Requires the system to manage resources so that exhaustion via improper handling in mme_s11_handle_create_session_response cannot degrade availability.

prevent

Mandates graceful error handling that would prevent the CWE-404 resource mishandling from resulting in a DoS condition.

References