CVE-2026-8288
Denial of Service in Open5GS SMF Component
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8288 is a vulnerability in Open5GS up to version 2.7.7 affecting the Session Management Function (SMF). It occurs in the function gsm_handle_pdu_session_modification_qos_flow_descriptions when processing a PDU Session Modification Request.
The vulnerability arises because the parser accepts a 3-byte bitrate structure without validating the bitrate unit in the QoS flow descriptions within the n1SmMsg field. If an invalid bitrate unit (such as unit=0) is provided, it causes a fatal error leading to the SMF process crashing (exit code 139).
This crash happens before any HTTP response can be sent, resulting in a denial of service. The attack can be launched remotely by sending a crafted multipart request with a malicious NAS payload containing the invalid bitrate unit.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) by crashing the SMF process in Open5GS. When exploited, the entire SMF process terminates unexpectedly, disrupting the session management service.
Because the SMF is a critical component in the 5G core network responsible for managing sessions, its crash can lead to service interruptions affecting network availability and reliability.
The attack can be performed remotely without user interaction, making it easier for attackers to disrupt network operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the Open5GS SMF process for crashes or abnormal termination, specifically exit code 139, which indicates a segmentation fault caused by processing invalid bitrate units in PDU Session Modification Requests.
Detection involves identifying crafted multipart requests with malicious NAS payloads containing invalid bitrate units in the QoS flow descriptions within the n1SmMsg field.
You can use system logs and process monitoring tools to detect crashes of the SMF component.
- Use commands like `journalctl -u open5gs-smf` or `systemctl status open5gs-smf` to check for recent crashes or abnormal exits.
- Monitor the SMF process with `ps aux | grep open5gs-smf` and check for unexpected restarts.
- Capture and analyze network traffic targeting the SMF's AMF-facing endpoint (`sm-contexts/{ref}/modify`) to detect suspicious multipart requests with malformed QoS flow descriptions.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the SMF component to trusted sources only, to reduce the risk of remote exploitation.
Implement network-level filtering or firewall rules to block malformed or suspicious PDU Session Modification Requests targeting the SMF.
Monitor the SMF process for crashes and restart it promptly to maintain service availability.
Apply the pending patch from the official Open5GS pull request that pre-validates Modification Request QoS Flow parameters before mutation, once it is accepted and available.
- Until the patch is applied, consider deploying additional input validation or proxy filtering to detect and block invalid bitrate units in QoS flow descriptions.