CVE-2026-8248
Denial of Service in Open5GS SMF Component
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Open5GS versions up to 2.7.7, specifically in the function update_authorized_pcc_rule_and_qos within the file /src/smf/npcf-handler.c of the SMF component.
The issue allows an attacker to manipulate this function, resulting in a denial of service condition.
The attack can be launched remotely, and the exploit is publicly available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes a denial of service by crashing the Session Management Function (SMF) in Open5GS when processing malformed input. This disruption of service could impact the availability of network functions.
However, there is no specific information provided about how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or unexpected termination of the Open5GS SMF process, especially exit code 139, which indicates an assertion failure in the update_authorized_pcc_rule_and_qos function.
Additionally, detection can be performed by capturing and analyzing network traffic for malformed POST requests to the endpoint /nsmf-callback/v1/sm-policy-notify/{smContextRef}/update containing invalid preemptCap values such as "BOOM".
Suggested commands include:
- Use system logs or process monitoring tools to check for SMF crashes: e.g., `journalctl -u open5gs-smf` or `ps aux | grep open5gs-smf` to detect unexpected exits.
- Use network packet capture tools like tcpdump or Wireshark to filter POST requests to the vulnerable endpoint: `tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'` and then search for requests containing invalid preemptCap values.
- Use curl or similar tools to test the endpoint with crafted requests to verify if the SMF crashes: `curl -X POST http://<open5gs-smf-ip>/nsmf-callback/v1/sm-policy-notify/<smContextRef>/update -d '{"arp":{"preemptCap":"BOOM"}}' -H 'Content-Type: application/json'`
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include monitoring and restricting access to the vulnerable SMF endpoint to prevent malicious crafted requests.
Implement network-level filtering or firewall rules to block suspicious POST requests containing invalid or unexpected preemptCap values.
Consider temporarily disabling or isolating the SMF component if possible until a patch or official fix is released.
Monitor the Open5GS project for updates or patches addressing this vulnerability and apply them as soon as they become available.
How can this vulnerability impact me? :
The vulnerability can cause a denial of service (DoS) in the affected Open5GS system.
This means that the system or service relying on Open5GS may become unavailable or unresponsive, potentially disrupting network functions.