{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1736", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-01T07:44:34.393Z", "datePublished": "2026-02-02T00:32:06.984Z", "dateUpdated": "2026-02-23T09:12:17.476Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:12:17.476Z"}, "title": "Open5GS SGWC s11-handler.c assertion", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-617", "lang": "en", "description": "Reachable Assertion"}]}], "affected": [{"vendor": "n/a", "product": "Open5GS", "versions": [{"version": "2.7.0", "status": "affected"}, {"version": "2.7.1", "status": "affected"}, {"version": "2.7.2", "status": "affected"}, {"version": "2.7.3", "status": "affected"}, {"version": "2.7.4", "status": "affected"}, {"version": "2.7.5", "status": "affected"}, {"version": "2.7.6", "status": "affected"}], "cpes": ["cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*"], "modules": ["SGWC"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c of the component SGWC. Such manipulation leads to reachable assertion. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. A patch should be applied to remediate this issue. The issue report is flagged as already-fixed."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-02-01T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-01T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-02T03:07:05.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "LinZiyu (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.343635", "name": "VDB-343635 | Open5GS SGWC s11-handler.c assertion", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.343635", "name": "VDB-343635 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.741191", "name": "Submit #741191 | Open5GS SGWC v2.7.6 Denial of Service", "tags": ["third-party-advisory"]}, {"url": "https://github.com/open5gs/open5gs/issues/4270", "tags": ["issue-tracking"]}, {"url": "https://github.com/open5gs/open5gs/issues/4270#event-21968624624", "tags": ["issue-tracking"]}, {"url": "https://github.com/open5gs/open5gs/issues/4270#issue-3795141303", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/open5gs/open5gs/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-02T16:15:25.518375Z", "id": "CVE-2026-1736", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T16:32:20.766Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1736", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-02T16:15:25.518375Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T16:26:23.287Z"}}], "cna": {"title": "Open5GS SGWC s11-handler.c assertion", "credits": [{"lang": "en", "type": "reporter", "value": "LinZiyu (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"cpes": ["cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*"], "vendor": "n/a", "modules": ["SGWC"], "product": "Open5GS", "versions": [{"status": "affected", "version": "2.7.0"}, {"status": "affected", "version": "2.7.1"}, {"status": "affected", "version": "2.7.2"}, {"status": "affected", "version": "2.7.3"}, {"status": "affected", "version": "2.7.4"}, {"status": "affected", "version": "2.7.5"}, {"status": "affected", "version": "2.7.6"}]}], "timeline": [{"lang": "en", "time": "2026-02-01T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-01T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-02T03:07:05.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.343635", "name": "VDB-343635 | Open5GS SGWC s11-handler.c assertion", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.343635", "name": "VDB-343635 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.741191", "name": "Submit #741191 | Open5GS SGWC v2.7.6 Denial of Service", "tags": ["third-party-advisory"]}, {"url": "https://github.com/open5gs/open5gs/issues/4270", "tags": ["issue-tracking"]}, {"url": "https://github.com/open5gs/open5gs/issues/4270#event-21968624624", "tags": ["issue-tracking"]}, {"url": "https://github.com/open5gs/open5gs/issues/4270#issue-3795141303", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/open5gs/open5gs/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c of the component SGWC. Such manipulation leads to reachable assertion. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. A patch should be applied to remediate this issue. The issue report is flagged as already-fixed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-617", "description": "Reachable Assertion"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:12:17.476Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1736", "state": "PUBLISHED", "dateUpdated": "2026-02-23T09:12:17.476Z", "dateReserved": "2026-02-01T07:44:34.393Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-02T00:32:06.984Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C77332A-BAA3-4FE7-A237-B87F175C6F48", "versionEndIncluding": "2.7.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c of the component SGWC. Such manipulation leads to reachable assertion. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. A patch should be applied to remediate this issue. The issue report is flagged as already-fixed."}], "id": "CVE-2026-1736", "lastModified": "2026-02-11T19:34:35.430", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-02T01:15:51.940", "references": [{"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://github.com/open5gs/open5gs/"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/open5gs/open5gs/issues/4270"}, {"source": "cna@vuldb.com", "tags": ["Issue Tracking"], "url": "https://github.com/open5gs/open5gs/issues/4270#event-21968624624"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/open5gs/open5gs/issues/4270#issue-3795141303"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.343635"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.343635"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.741191"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:20:52.956994+00:00", "value": {"mitigation_remediation": ["Upgrade Open5GS to the patched release (2.7.7 or later) to eliminate the reachable assertion.", "If an immediate upgrade is not feasible, limit S11 interface traffic to a trusted set of IP addresses or network segments until the patch can be applied, preventing unauthorised tunnel provisioning requests.", "Continuously monitor SGWC logs for assertion failures and implement health\u2011check or fail\u2011over mechanisms to maintain service availability during any temporary mitigation."], "summary": {"action": "Apply Patch", "impact": "Denial of Service via Remote Assertion Failure"}, "threat_synthesis": {"affected_systems": "Versioned releases of the Open5GS platform through 2.7.6, including all installations that have not applied the latest patch, are affected. The issue is confined to the SGWC component, which processes S11 interface traffic between the SGW and the MME/UPF.", "description_and_impact": "The vulnerability resides in the SGWC component of Open5GS, specifically in the function that handles indirect data forwarding tunnel requests. A crafted request can trigger an assertion failure within the S11 handler, causing the SGWC process to crash. This CWE-617 reachable assertion flaw does not directly provide code execution, but it can lead to service disruption and potentially serve as a foothold for further exploitation if combined with other weaknesses.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a moderate to high risk, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is exploitable remotely and has already been publicly disclosed, which raises the likelihood of targeted attacks. Although the flaw primarily leads to denial of service, a remote attacker could leverage repeated crashes to facilitate a denial\u2011of\u2011service attack vector or combine it with other vulnerabilities for broader impact. The CVE is not listed in the CISA KEV catalogue, but its potential to disrupt core 5G network functions warrants prompt attention."}}}}, "created": "2026-02-02T09:26:09.696098+00:00", "updated": "2026-04-18T14:30:02.941319+00:00", "vendors": ["open5gs", "open5gs$PRODUCT$open5gs"]}