CVE-2026-8268
Open5GS SMF Denial of Service Vulnerability
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Open5GS SMF (Session Management Function) component when it operates in the home-routed V-SMF role. Specifically, it happens if the SMF receives a 201 Created response from the Home-SMF for a PDU session establishment request that omits the `qosFlowsSetupList` field in the response data.
The SMF's response handler expects this list to be present if it contains items, but if the list is missing or empty, it frees the list. Later, when constructing a NAS message, the code assumes the list must exist and asserts its presence unconditionally. This leads to a fatal assertion failure and causes the SMF process to crash (exit code 139).
The vulnerability can be triggered remotely by sending a crafted response that omits the `qosFlowsSetupList`, causing a denial of service by crashing the SMF process instead of handling the malformed response gracefully.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) condition by crashing the SMF process in Open5GS. Since the SMF is responsible for session management in the network, its crash can disrupt ongoing sessions and network operations.
An attacker can remotely trigger this crash by sending a specially crafted response that omits required fields, leading to service interruptions and potential loss of connectivity for users relying on the affected network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes the Open5GS SMF process to crash with exit code 139 when it receives a malformed 201 Created response from the H-SMF that omits the qosFlowsSetupList field in the PduSessionCreatedData.
Detection can be performed by monitoring the SMF process for unexpected crashes or abnormal termination (exit code 139).
Additionally, network traffic analysis can be used to detect malformed 201 Created responses from the H-SMF that lack the qosFlowsSetupList field.
- Use system commands like `journalctl -u open5gs-smf` or `systemctl status open5gs-smf` to check for recent crashes or abnormal exits.
- Use `ps` or `top` to monitor if the SMF process is restarting frequently.
- Capture and inspect network packets between SMF and H-SMF using tools like `tcpdump` or `wireshark` filtering for 201 Created responses to verify presence or absence of the qosFlowsSetupList field.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include monitoring and restricting malformed responses from the H-SMF to the SMF to prevent triggering the crash.
Since the vulnerability is triggered by a crafted 201 Created response missing the qosFlowsSetupList field, ensure that only trusted and validated H-SMF nodes communicate with the SMF.
Implement network-level filtering or validation to block or sanitize malformed messages.
Monitor the SMF process for crashes and consider automated restart mechanisms to maintain service availability.
Stay updated with Open5GS project communications for patches or official fixes addressing this issue.