CVE-2026-8222
Denial of Service in Open5GS sm-policies Endpoint
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in Open5GS up to version 2.7.7, specifically in the function pcf_nbsf_management_handle_register within the sm-policies Endpoint component. It occurs when the Policy and Charging Function (PCF) processes a malformed Binding Support Function (BSF) register response during a POST request. If the BSF returns a 201 Created response with a malformed Location header missing the binding ID, the PCF attempts to clean up without setting an HTTP status, causing an assertion failure that crashes the PCF process.
The root cause is an uninitialized status variable leading to a denial of service (DoS) condition. An attacker can exploit this remotely by manipulating the Location header in the BSF response to crash the PCF.
How can this vulnerability impact me? :
This vulnerability can lead to a denial of service (DoS) attack against the Open5GS Policy and Charging Function (PCF). By sending a specially crafted BSF register response with a malformed Location header, an attacker can cause the PCF to crash, disrupting the normal operation of the 5G core network components that rely on it.
Such a crash can interrupt network policy enforcement and charging functions, potentially affecting service availability and network reliability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the behavior of the Policy and Charging Function (PCF) component in Open5GS, specifically looking for crashes or abnormal termination of the PCF process.
Since the vulnerability is triggered by a malformed Binding Support Function (BSF) register response with a missing binding ID in the Location header during a POST request to `/npcf-smpolicycontrol/v1/sm-policies`, network traffic inspection tools can be used to detect such malformed responses.
Suggested commands include using packet capture tools like tcpdump or Wireshark to filter and inspect POST requests to the PCF endpoint and analyze the Location headers in BSF responses.
- tcpdump -i <interface> -w capture.pcap 'tcp port 80 or tcp port 443'
- Use Wireshark to open capture.pcap and filter HTTP POST requests to `/npcf-smpolicycontrol/v1/sm-policies` and inspect the Location headers in BSF responses for missing binding IDs.
Additionally, monitoring PCF logs for assertion failures or crashes related to `pcf_nbsf_management_handle_register()` can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include monitoring and restricting access to the PCF endpoint to prevent malicious BSF responses from reaching the system.
Since the vulnerability is caused by the PCF crashing when processing malformed BSF Location headers, implementing input validation or filtering malformed BSF responses before they reach the PCF can reduce risk.
If possible, apply any available patches or updates from the Open5GS project once they respond or release a fix.
In the meantime, consider isolating or limiting the network exposure of the PCF component to trusted BSF services only.