Executive Summary

The vulnerability in Open5GS up to version 2.7.7 occurs in the Session Management Function (SMF), specifically in the function smf_nsmf_handle_update_data_in_vsmf. It is triggered when a malformed HTTP POST request is sent to the endpoint /nsmf-pdusession/v1/vsmf-pdu-session/{smContextRef}/modify. If the request contains a qosFlowsAddModRequestList item with a qfi and qosFlowDescription but lacks the required qosFlowProfile field, the function attempts to dereference a null qosFlowProfile pointer. This causes a segmentation fault, crashing the SMF process immediately and preventing it from returning a proper HTTP 400 error response.

Instead of gracefully rejecting the malformed request, the SMF crashes and aborts the HTTP/2 stream. This vulnerability can be remotely exploited by sending such a malformed request, and the exploit is publicly available.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition in the Open5GS Session Management Function. When exploited, it causes the SMF process to crash abruptly, disrupting the normal operation of the 5G core network component.

Such a crash can interrupt service availability, potentially affecting network reliability and user connectivity. Since the SMF is a critical component in managing sessions in 5G networks, its failure can degrade network performance or cause outages.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or abnormal terminations of the Open5GS SMF process, especially when it handles HTTP POST requests to the endpoint `/nsmf-pdusession/v1/vsmf-pdu-session/{smContextRef}/modify`.

Specifically, detection involves identifying malformed POST requests that include a `qosFlowsAddModRequestList` item with `qfi` and `qosFlowDescription` but omit the required `qosFlowProfile` field, which causes the SMF to crash.

A practical approach is to capture and analyze HTTP traffic to this endpoint for such malformed requests.

• Use network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to `/nsmf-pdusession/v1/vsmf-pdu-session/`.
• Example tcpdump command to capture relevant traffic: `tcpdump -i <interface> -s 0 -w capture.pcap 'tcp port 80 or tcp port 443'`
• Analyze captured traffic for POST requests missing the `qosFlowProfile` field in the JSON payload under `qosFlowsAddModRequestList`.
• Monitor Open5GS SMF logs for segmentation faults or process crashes with exit code 139, which indicate exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include preventing the SMF from processing malformed requests that omit the `qosFlowProfile` field, which triggers the crash.

Since the vulnerability is due to improper handling of input in the `smf_nsmf_handle_update_data_in_vsmf()` function, applying input validation or filtering malformed requests at the network or application firewall level can help.

• Block or filter HTTP POST requests to `/nsmf-pdusession/v1/vsmf-pdu-session/{smContextRef}/modify` that contain `qosFlowsAddModRequestList` items missing the `qosFlowProfile` field.
• Monitor and restart the SMF process if it crashes to maintain service availability.
• Stay updated with Open5GS project communications for patches or official fixes addressing this issue.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-8289 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0