CVE-2026-8251
Denial of Service in Open5GS SMF Component
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Open5GS up to version 2.7.7, specifically in the function update_authorized_pcc_rule_and_qos within the file /src/smf/npcf-handler.c of the SMF component.
An attacker can remotely manipulate this function to cause a denial of service condition.
The exploit for this vulnerability has been made public, and the project has been informed but has not yet responded.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) attack, which can disrupt the normal operation of the affected Open5GS SMF component.
Since the attack can be performed remotely, it could potentially allow an attacker to interrupt service availability without requiring local access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the behavior of the Open5GS Session Management Function (SMF) for crashes or denial-of-service symptoms when processing sm-policy-notify callbacks containing PCC rules.
Specifically, if the SMF process exits with code 139 and resets connections, it may indicate an attempt to exploit this vulnerability by sending an oversized pccRules map (more than 8 entries) in the sm-policy-notify callback.
To detect this on your system, you can check SMF logs for assertion failures related to pcc_rule->num_of_flow == 0 or monitor for unexpected SMF process crashes.
While no exact commands are provided, you can use standard Linux commands such as:
- journalctl -u open5gs-smf.service -f # To follow SMF logs in real time
- ps aux | grep open5gs-smf # To check if the SMF process is running
- dmesg | grep open5gs # To check kernel logs for crashes
- Monitoring network traffic for unusually large or malformed sm-policy-notify messages with more than 8 PCC rules could also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing the SMF from processing oversized pccRules arrays that exceed the maximum capacity of 8 entries.
Since the vulnerability is caused by lack of input validation on the size of the pccRules array, you should:
- Implement input validation or filtering at the network edge or within the SMF to reject sm-policy-notify messages containing more than 8 PCC rules.
- Monitor and restrict incoming sm-policy-notify callbacks to trusted sources only.
- If possible, apply any patches or updates from the Open5GS project once they become available.
Until an official fix is released, consider deploying network-level protections such as firewall rules or intrusion detection systems to detect and block exploit attempts.