CVE-2026-8288
Undergoing Analysis Undergoing Analysis - In Progress
Denial of Service in Open5GS SMF Component

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: VulDB

Description
A vulnerability was determined in Open5GS up to 2.7.7. This affects the function gsm_handle_pdu_session_modification_qos_flow_descriptions of the file src/smf/gsm-handler.c of the component SMF. Executing a manipulation of the argument n1SmMsg can lead to denial of service. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-20
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-8288
EUVD
EUVD-2026-29050
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open5gs open5gs to 2.7.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8288 is a vulnerability in Open5GS up to version 2.7.7 affecting the Session Management Function (SMF). It occurs in the function gsm_handle_pdu_session_modification_qos_flow_descriptions when processing a PDU Session Modification Request.

The vulnerability arises because the parser accepts a 3-byte bitrate structure without validating the bitrate unit in the QoS flow descriptions within the n1SmMsg field. If an invalid bitrate unit (such as unit=0) is provided, it causes a fatal error leading to the SMF process crashing (exit code 139).

This crash happens before any HTTP response can be sent, resulting in a denial of service. The attack can be launched remotely by sending a crafted multipart request with a malicious NAS payload containing the invalid bitrate unit.

Impact Analysis

This vulnerability can cause a denial of service (DoS) by crashing the SMF process in Open5GS. When exploited, the entire SMF process terminates unexpectedly, disrupting the session management service.

Because the SMF is a critical component in the 5G core network responsible for managing sessions, its crash can lead to service interruptions affecting network availability and reliability.

The attack can be performed remotely without user interaction, making it easier for attackers to disrupt network operations.

Detection Guidance

This vulnerability can be detected by monitoring the Open5GS SMF process for crashes or abnormal termination, specifically exit code 139, which indicates a segmentation fault caused by processing invalid bitrate units in PDU Session Modification Requests.

Detection involves identifying crafted multipart requests with malicious NAS payloads containing invalid bitrate units in the QoS flow descriptions within the n1SmMsg field.

You can use system logs and process monitoring tools to detect crashes of the SMF component.

  • Use commands like `journalctl -u open5gs-smf` or `systemctl status open5gs-smf` to check for recent crashes or abnormal exits.
  • Monitor the SMF process with `ps aux | grep open5gs-smf` and check for unexpected restarts.
  • Capture and analyze network traffic targeting the SMF's AMF-facing endpoint (`sm-contexts/{ref}/modify`) to detect suspicious multipart requests with malformed QoS flow descriptions.
Mitigation Strategies

Immediate mitigation steps include restricting access to the SMF component to trusted sources only, to reduce the risk of remote exploitation.

Implement network-level filtering or firewall rules to block malformed or suspicious PDU Session Modification Requests targeting the SMF.

Monitor the SMF process for crashes and restart it promptly to maintain service availability.

Apply the pending patch from the official Open5GS pull request that pre-validates Modification Request QoS Flow parameters before mutation, once it is accepted and available.

  • Until the patch is applied, consider deploying additional input validation or proxy filtering to detect and block invalid bitrate units in QoS flow descriptions.
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8288. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart