{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1586", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-01-29T05:57:08.622Z", "datePublished": "2026-01-29T12:32:06.331Z", "dateUpdated": "2026-02-23T09:03:40.681Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:03:40.681Z"}, "title": "Open5GS SGWC s11-handler.c ogs_gtp2_f_teid_to_ip denial of service", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-404", "lang": "en", "description": "Denial of Service"}]}], "affected": [{"vendor": "n/a", "product": "Open5GS", "versions": [{"version": "2.7.0", "status": "affected"}, {"version": "2.7.1", "status": "affected"}, {"version": "2.7.2", "status": "affected"}, {"version": "2.7.3", "status": "affected"}, {"version": "2.7.4", "status": "affected"}, {"version": "2.7.5", "status": "affected"}], "cpes": ["cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*"], "modules": ["SGWC"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in Open5GS up to 2.7.5. Impacted is the function ogs_gtp2_f_teid_to_ip of the file /sgwc/s11-handler.c of the component SGWC. Executing a manipulation can lead to denial of service. The attack may be performed from remote. The exploit has been published and may be used. It is advisable to implement a patch to correct this issue. The issue report is flagged as already-fixed."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-01-29T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-01-29T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-04T03:14:37.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "FrankyLin (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.343349", "name": "VDB-343349 | Open5GS SGWC s11-handler.c ogs_gtp2_f_teid_to_ip denial of service", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.343349", "name": "VDB-343349 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.738375", "name": "Submit #738375 | Open5GS SGWC v2.7.6 Denial of Service", "tags": ["third-party-advisory"]}, {"url": "https://github.com/open5gs/open5gs/issues/4273", "tags": ["issue-tracking"]}, {"url": "https://github.com/open5gs/open5gs/issues/4273#event-21968643659", "tags": ["issue-tracking"]}, {"url": "https://github.com/open5gs/open5gs/issues/4273#issue-3796030721", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/open5gs/open5gs/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-29T15:11:20.627625Z", "id": "CVE-2026-1586", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T15:11:30.103Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1586", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-29T15:11:20.627625Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T15:11:25.270Z"}}], "cna": {"title": "Open5GS SGWC s11-handler.c ogs_gtp2_f_teid_to_ip denial of service", "credits": [{"lang": "en", "type": "reporter", "value": "FrankyLin (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"cpes": ["cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*"], "vendor": "n/a", "modules": ["SGWC"], "product": "Open5GS", "versions": [{"status": "affected", "version": "2.7.0"}, {"status": "affected", "version": "2.7.1"}, {"status": "affected", "version": "2.7.2"}, {"status": "affected", "version": "2.7.3"}, {"status": "affected", "version": "2.7.4"}, {"status": "affected", "version": "2.7.5"}]}], "timeline": [{"lang": "en", "time": "2026-01-29T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-01-29T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-04T03:14:37.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.343349", "name": "VDB-343349 | Open5GS SGWC s11-handler.c ogs_gtp2_f_teid_to_ip denial of service", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.343349", "name": "VDB-343349 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.738375", "name": "Submit #738375 | Open5GS SGWC v2.7.6 Denial of Service", "tags": ["third-party-advisory"]}, {"url": "https://github.com/open5gs/open5gs/issues/4273", "tags": ["issue-tracking"]}, {"url": "https://github.com/open5gs/open5gs/issues/4273#event-21968643659", "tags": ["issue-tracking"]}, {"url": "https://github.com/open5gs/open5gs/issues/4273#issue-3796030721", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/open5gs/open5gs/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in Open5GS up to 2.7.5. Impacted is the function ogs_gtp2_f_teid_to_ip of the file /sgwc/s11-handler.c of the component SGWC. Executing a manipulation can lead to denial of service. The attack may be performed from remote. The exploit has been published and may be used. It is advisable to implement a patch to correct this issue. The issue report is flagged as already-fixed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-404", "description": "Denial of Service"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:03:40.681Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1586", "state": "PUBLISHED", "dateUpdated": "2026-02-23T09:03:40.681Z", "dateReserved": "2026-01-29T05:57:08.622Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-01-29T12:32:06.331Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*", "matchCriteriaId": "F4733D6E-5B99-4217-96BA-533B220A1FDA", "versionEndExcluding": "2.7.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Open5GS up to 2.7.5. Impacted is the function ogs_gtp2_f_teid_to_ip of the file /sgwc/s11-handler.c of the component SGWC. Executing a manipulation can lead to denial of service. The attack may be performed from remote. The exploit has been published and may be used. It is advisable to implement a patch to correct this issue. The issue report is flagged as already-fixed."}], "id": "CVE-2026-1586", "lastModified": "2026-02-23T09:16:59.130", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-01-29T13:15:53.113", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/open5gs/open5gs/"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/open5gs/open5gs/issues/4273"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/open5gs/open5gs/issues/4273#event-21968643659"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/open5gs/open5gs/issues/4273#issue-3796030721"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.343349"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.343349"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.738375"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-404"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:28:02.559752+00:00", "value": {"mitigation_remediation": ["Upgrade Open5GS to a release version that includes the patch for sgwc/s11-handler.c (at least 2.8.0).", "If a patch cannot be applied immediately, restrict inbound GTPv2 traffic to SGWC to trusted networks or apply firewall rules that limit access to known, legitimate UPF or SGW peers.", "Enable logging of GTPv2 message failures and monitor for repeated failures or crashes; use this as an indicator of attempted exploitation."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Open5GS Open5GS SGWC component is affected in all releases up to and including 2.7.5. Users deploying the Open5GS 5G core stack with SGWC should verify whether their installed version falls within this range and plan to upgrade to a later release that includes the fix.", "description_and_impact": "The vulnerability resides in Open5GS SGWC, specifically the function ogs_gtp2_f_teid_to_ip within s11-handler.c. Remote manipulation of the GTPv2 signalling messages can cause a denial of service by corrupting memory handling in the function. The weakness is classified as CWE-404, indicating improper release of resources. The exploit has been published and is known to be usable, meaning an attacker with remote reach can trigger the service crash. The denial of service could render the SGWC component unavailable, disrupting GTP signalling between the Access Gateway and the Core network, which may cascade to affect user plane connectivity.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a moderate impact, while the EPSS score of less than 1% indicates a low probability of automated exploitation in the near term. Nonetheless, the fact that the exploit is publicly available and can be performed over the network warrants caution. The vulnerability is not listed in the CISA KEV catalog, but dependency on raw GTP traffic makes the component attractive for attackers. Remote attackers who can reach the SGWC GTP port can trigger the crash, and no special conditions beyond normal network interaction are required. Accordingly, the risk to any Open5GS deployment that exposes SGWC to untrusted traffic is high until patched."}}}}, "created": "2026-01-30T08:42:46.855438+00:00", "updated": "2026-04-18T01:30:16.045617+00:00", "vendors": ["open5gs", "open5gs$PRODUCT$open5gs"]}