CVE-2026-8223
Denial of Service in Open5GS sm-policies Endpoint
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes the Policy Control Function (PCF) in Open5GS to crash when it processes a delayed Network Repository Function (NRF) discovery response after the original client disconnects. Detection can involve monitoring the PCF for unexpected crashes or restarts.
To detect this issue, you can monitor Open5GS PCF logs for assertion failures related to `ogs_assert(stream)` or unexpected termination messages.
Additionally, you can simulate the conditions that cause the crash by sending SM Policy Association requests with short timeouts and using a test or fake NRF endpoint that delays responses, then observe if the PCF crashes.
Specific commands are not provided in the resources, but general approaches include:
- Check system logs for PCF crashes or assertion failures (e.g., using `journalctl -u open5gs-pcf` or examining Open5GS log files).
- Use network traffic analysis tools (e.g., tcpdump or Wireshark) to monitor SM Policy Association requests and responses, looking for delayed NRF discovery responses.
- Perform controlled tests with a client sending requests with short timeouts and a delayed NRF endpoint to reproduce the crash.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps are not explicitly detailed in the provided resources.
However, general best practices include:
- Monitor and restart the PCF service automatically if it crashes to minimize downtime.
- Limit exposure of the PCF endpoint to untrusted networks to reduce the risk of remote exploitation.
- Avoid using delayed or unreliable NRF endpoints that could trigger the vulnerability.
- Apply any patches or updates from the Open5GS project once available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in Open5GS up to version 2.7.7, specifically in the Policy Control Function (PCF) component's handling of delayed discovery responses during a SM Policy Association request.
When the PCF receives a delayed Network Repository Function (NRF) discovery response after the original client has disconnected, it attempts to send a fallback response on an already closed HTTP/2 stream. This causes an assertion failure and crashes the PCF.
The root cause is that the PCF does not properly discard or safely handle late discovery results, leading to dereferencing a dead stream and resulting in a denial of service.
How can this vulnerability impact me? :
This vulnerability can be exploited remotely to cause a denial of service (DoS) in the Open5GS Policy Control Function.
An attacker can trigger the PCF to crash by manipulating the timing of discovery responses, which disrupts the normal operation of the network policy control.
This disruption can lead to service unavailability or degraded network performance, potentially affecting users relying on the affected Open5GS deployment.