CVE-2026-8225
Undergoing Analysis Undergoing Analysis - In Progress
Denial of Service in Open5GS due to PCF Component

Publication date: 2026-05-10

Last updated on: 2026-05-10

Assigner: VulDB

Description
A vulnerability was identified in Open5GS up to 2.7.7. This affects the function pcf_npcf_smpolicycontrol_handle_delete of the file src/pcf/sm-sm.c of the component delete Endpoint. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-10
Generated
2026-06-19
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-18
NVD
CVE-2026-8225
EUVD
EUVD-2026-28973
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open5gs open5gs to 2.7.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Open5GS (CVE-2026-8225) is a method confusion issue in the Policy Control Function (PCF) component. Specifically, a GET request to the endpoint designed for deleting SM policies incorrectly triggers the delete handler, which expects a POST request with a valid delete data body.

Because the GET request lacks the required body, the handler fails and causes a state-machine exception that clears the entire PCF session context. This improper handling allows an attacker with a valid policy ID to remotely cause the PCF session state to be destroyed, leading to denial of service.

The root cause is incorrect method dispatching and error handling in the source code files related to the PCF component.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition in the Open5GS network core. An attacker can remotely trigger the deletion of the PCF session state by sending a crafted GET request, which disrupts legitimate services such as application session creation.

The impact is that network services relying on the PCF session context may become unavailable or unstable, potentially affecting the availability of 5G core network functions.

Detection Guidance

This vulnerability can be detected by monitoring for unexpected GET requests to the endpoint /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/delete, which should normally only accept POST requests with a valid SmPolicyDeleteData body.

You can use network traffic inspection tools or command-line utilities like curl or wget to test if the vulnerable endpoint improperly accepts GET requests that trigger the deletion handler.

  • Example command to test the vulnerability: curl -X GET http://<open5gs-server>/npcf-smpolicycontrol/v1/sm-policies/<smPolicyId>/delete
  • Monitor logs or network traffic for such GET requests that cause session clearing or denial of service.
Mitigation Strategies

Immediate mitigation steps include restricting or blocking GET requests to the /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/delete endpoint, as it should only accept POST requests with a valid delete body.

Implement firewall or API gateway rules to reject or filter out invalid HTTP methods targeting this endpoint.

Monitor and alert on suspicious GET requests to this endpoint to detect potential exploitation attempts.

Since the project has not yet responded with a fix, consider isolating or limiting access to the PCF component until a patch or update is available.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8225. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart