CVE-2026-8224
Open5GS PCF IPv6 Prefix Denial of Service
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Open5GS up to version 2.7.7, specifically in the Policy Control Function (PCF) component. The issue occurs in the function pcf_sess_set_ipv6prefix when it processes an IPv6 address prefix that is not exactly 128 bits long. If a request includes a valid but non-128 IPv6 prefix (for example, a /64 prefix), the function triggers an assertion failure, causing the PCF process to crash.
The crash happens because the PCF expects the IPv6 prefix length to be exactly 128 bits, but it does not handle other valid prefix lengths properly. Instead of rejecting such requests with an error, the system terminates the PCF process, leading to a denial of service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can lead to a denial of service (DoS) condition in the Open5GS system. An attacker can remotely send a specially crafted request with a non-128 bit IPv6 prefix to the PCF, causing it to crash and potentially restart repeatedly.
Such crashes can disrupt the normal operation of the Policy Control Function, which is critical for managing policies in the network. This disruption can lead to service outages or degraded network performance, affecting users relying on the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or restarts of the Open5GS PCF component when it processes POST requests to the endpoint `/npcf-smpolicycontrol/v1/sm-policies`.
Specifically, sending a POST request with an IPv6 address prefix that is not a /128 prefix (for example, `2001:db8::1/64`) to the PCF can reproduce the crash, indicating the presence of the vulnerability.
A suggested command to test this would be using curl to send a malformed request:
- curl -X POST http://<pcf-ip>:<port>/npcf-smpolicycontrol/v1/sm-policies -d '{"SmPolicyContextData":{"ipv6AddressPrefix":"2001:db8::1/64"}}' -H 'Content-Type: application/json'
If the PCF process crashes or the connection is reset and the container restarts, this indicates the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include monitoring and restricting incoming POST requests to the PCF endpoint `/npcf-smpolicycontrol/v1/sm-policies` to ensure that IPv6 prefixes are strictly validated before processing.
Implement network-level filtering or application-level input validation to block requests containing IPv6 prefixes that are not /128.
Additionally, consider isolating or limiting access to the PCF service to trusted sources only to reduce exposure to remote exploitation.
Since the vendor has not responded with a patch, closely monitor for updates or patches from Open5GS and apply them as soon as they become available.