CVE-2026-8252
Undergoing Analysis Undergoing Analysis - In Progress
Null Pointer Dereference in Open5GS SMF Component

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: VulDB

Description
A vulnerability was determined in Open5GS up to 2.7.7. Affected is the function smf_nsmf_handle_create_data_in_hsmf of the component SMF. Executing a manipulation can lead to null pointer dereference. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-20
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-8252
EUVD
EUVD-2026-29006
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open5gs open5gs to 2.7.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in Open5GS up to version 2.7.7, specifically in the Session Management Function (SMF) component. It occurs in the function smf_nsmf_handle_create_data_in_hsmf when processing certain requests.

If a POST request to the SMF endpoint lacks the required vcnTunnelInfo field, the function attempts to dereference a null pointer while logging an error, causing the SMF process to crash.

This null pointer dereference leads to the SMF process exiting unexpectedly and resetting the HTTP/2 connection, instead of properly handling the error with a 400 response.

Impact Analysis

The vulnerability can cause the SMF component of Open5GS to crash when it receives malformed requests missing the vcnTunnelInfo field.

This crash results in a denial of service condition, as the SMF process exits and the HTTP/2 connection is reset, potentially disrupting 5G core network operations.

Since the attack can be performed remotely by sending crafted requests, it poses a risk of service interruption in networks using the affected Open5GS versions.

Detection Guidance

This vulnerability can be detected by monitoring the behavior of the Session Management Function (SMF) in Open5GS when it processes POST requests to the `/nsmf-pdusession/v1/pdu-sessions` endpoint.

Specifically, sending a malformed multipart POST request that lacks the `vcnTunnelInfo` field to this endpoint can trigger the vulnerability, causing the SMF process to crash with exit code 139 and reset the HTTP/2 connection.

A detection command example using curl to test this could be:

  • curl -X POST -H "Content-Type: multipart/form-data" --data-binary @malformed_request.txt http://<SMF_IP>:<PORT>/nsmf-pdusession/v1/pdu-sessions

Where `malformed_request.txt` is a crafted multipart request missing the `vcnTunnelInfo` field.

If the SMF crashes or the HTTP/2 connection resets unexpectedly, this indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include preventing malformed requests that lack the `vcnTunnelInfo` field from reaching the SMF component.

This can be done by implementing input validation or filtering at the network perimeter or API gateway to block such malformed POST requests to `/nsmf-pdusession/v1/pdu-sessions`.

Additionally, monitoring the SMF process for crashes and restarting it promptly can reduce downtime.

Since the project has not yet responded with a patch, consider applying custom patches or workarounds if available, or upgrading to a fixed version once released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8252. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart