CVE-2026-8252
Null Pointer Dereference in Open5GS SMF Component
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Open5GS up to version 2.7.7, specifically in the Session Management Function (SMF) component. It occurs in the function smf_nsmf_handle_create_data_in_hsmf when processing certain requests.
If a POST request to the SMF endpoint lacks the required vcnTunnelInfo field, the function attempts to dereference a null pointer while logging an error, causing the SMF process to crash.
This null pointer dereference leads to the SMF process exiting unexpectedly and resetting the HTTP/2 connection, instead of properly handling the error with a 400 response.
How can this vulnerability impact me? :
The vulnerability can cause the SMF component of Open5GS to crash when it receives malformed requests missing the vcnTunnelInfo field.
This crash results in a denial of service condition, as the SMF process exits and the HTTP/2 connection is reset, potentially disrupting 5G core network operations.
Since the attack can be performed remotely by sending crafted requests, it poses a risk of service interruption in networks using the affected Open5GS versions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the behavior of the Session Management Function (SMF) in Open5GS when it processes POST requests to the `/nsmf-pdusession/v1/pdu-sessions` endpoint.
Specifically, sending a malformed multipart POST request that lacks the `vcnTunnelInfo` field to this endpoint can trigger the vulnerability, causing the SMF process to crash with exit code 139 and reset the HTTP/2 connection.
A detection command example using curl to test this could be:
- curl -X POST -H "Content-Type: multipart/form-data" --data-binary @malformed_request.txt http://<SMF_IP>:<PORT>/nsmf-pdusession/v1/pdu-sessions
Where `malformed_request.txt` is a crafted multipart request missing the `vcnTunnelInfo` field.
If the SMF crashes or the HTTP/2 connection resets unexpectedly, this indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing malformed requests that lack the `vcnTunnelInfo` field from reaching the SMF component.
This can be done by implementing input validation or filtering at the network perimeter or API gateway to block such malformed POST requests to `/nsmf-pdusession/v1/pdu-sessions`.
Additionally, monitoring the SMF process for crashes and restarting it promptly can reduce downtime.
Since the project has not yet responded with a patch, consider applying custom patches or workarounds if available, or upgrading to a fixed version once released.