CVE-2026-8225
Denial of Service in Open5GS due to PCF Component
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Open5GS (CVE-2026-8225) is a method confusion issue in the Policy Control Function (PCF) component. Specifically, a GET request to the endpoint designed for deleting SM policies incorrectly triggers the delete handler, which expects a POST request with a valid delete data body.
Because the GET request lacks the required body, the handler fails and causes a state-machine exception that clears the entire PCF session context. This improper handling allows an attacker with a valid policy ID to remotely cause the PCF session state to be destroyed, leading to denial of service.
The root cause is incorrect method dispatching and error handling in the source code files related to the PCF component.
How can this vulnerability impact me? :
This vulnerability can lead to a denial of service (DoS) condition in the Open5GS network core. An attacker can remotely trigger the deletion of the PCF session state by sending a crafted GET request, which disrupts legitimate services such as application session creation.
The impact is that network services relying on the PCF session context may become unavailable or unstable, potentially affecting the availability of 5G core network functions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unexpected GET requests to the endpoint /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/delete, which should normally only accept POST requests with a valid SmPolicyDeleteData body.
You can use network traffic inspection tools or command-line utilities like curl or wget to test if the vulnerable endpoint improperly accepts GET requests that trigger the deletion handler.
- Example command to test the vulnerability: curl -X GET http://<open5gs-server>/npcf-smpolicycontrol/v1/sm-policies/<smPolicyId>/delete
- Monitor logs or network traffic for such GET requests that cause session clearing or denial of service.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or blocking GET requests to the /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/delete endpoint, as it should only accept POST requests with a valid delete body.
Implement firewall or API gateway rules to reject or filter out invalid HTTP methods targeting this endpoint.
Monitor and alert on suspicious GET requests to this endpoint to detect potential exploitation attempts.
Since the project has not yet responded with a fix, consider isolating or limiting access to the PCF component until a patch or update is available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.