Vulnerability Description: The MME crashes when it processes a malformed Bearer QoS length in CreateSessionResponse, despite a length check. Affected Version: Tested in v2.7.6 version. Vulnerability Cause: The code asserts , but if returns a length other than the expected one (22), the assertion fails and MME crashes. Exploitation Method: - Set up a new Go project and create a file with the provided code, which creates a malformed CreateSessionResponse to trigger the vulnerability. Expected Behavior: The malformed Bearer QoS IE should be rejected gracefully without crashing the MME process. Observed Behavior: The MME crashes due to an assertion failure. Vulnerability Impact: An attacker can send a CreateSessionResponse with a malformed bearer_level_qos.len to crash the MME.