CVE-2026-2524
Published: 16 February 2026
Summary
CVE-2026-2524 is a medium-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Open5Gs Open5Gs. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2026-2524 is a vulnerability in Open5GS version 2.7.6, affecting the mme_s11_handle_create_session_response function within the MME component. The flaw enables a denial of service condition through improper resource handling, classified under CWE-404.
An unauthenticated remote attacker can exploit this vulnerability with low attack complexity, as reflected in its CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Exploitation disrupts availability to a low degree without impacting confidentiality or integrity.
The Open5GS project was notified early via GitHub issue #4284 but has not responded as of the CVE publication on 2026-02-16. An exploit has been published and may be used, with further details available in the project's GitHub repository (https://github.com/open5gs/open5gs/) and VulDB entries (https://vuldb.com/?ctiid.346112, https://vuldb.com/?id.346112). No patches or specific mitigations are detailed in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6137
Vulnerability details
A flaw has been found in Open5GS 2.7.6. The impacted element is the function mme_s11_handle_create_session_response of the component MME. This manipulation causes denial of service. The attack can be initiated remotely. The exploit has been published and may be used.…
more
The project was informed of the problem early through an issue report but has not responded yet.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of improper resource handling (CWE-404) in MME component directly enables application/system crash for availability impact, matching T1499.004.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires mechanisms to protect against or limit the effects of denial-of-service attacks targeting the MME's session-handling path.
Requires the system to manage resources so that exhaustion via improper handling in mme_s11_handle_create_session_response cannot degrade availability.
Mandates graceful error handling that would prevent the CWE-404 resource mishandling from resulting in a DoS condition.