CVE-2026-8289
Denial of Service in Open5GS due to QoS Flow Profile Manipulation
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Open5GS up to version 2.7.7 occurs in the Session Management Function (SMF), specifically in the function smf_nsmf_handle_update_data_in_vsmf. It is triggered when a malformed HTTP POST request is sent to the endpoint /nsmf-pdusession/v1/vsmf-pdu-session/{smContextRef}/modify. If the request contains a qosFlowsAddModRequestList item with a qfi and qosFlowDescription but lacks the required qosFlowProfile field, the function attempts to dereference a null qosFlowProfile pointer. This causes a segmentation fault, crashing the SMF process immediately and preventing it from returning a proper HTTP 400 error response.
Instead of gracefully rejecting the malformed request, the SMF crashes and aborts the HTTP/2 stream. This vulnerability can be remotely exploited by sending such a malformed request, and the exploit is publicly available.
How can this vulnerability impact me? :
This vulnerability can lead to a denial of service (DoS) condition in the Open5GS Session Management Function. When exploited, it causes the SMF process to crash abruptly, disrupting the normal operation of the 5G core network component.
Such a crash can interrupt service availability, potentially affecting network reliability and user connectivity. Since the SMF is a critical component in managing sessions in 5G networks, its failure can degrade network performance or cause outages.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or abnormal terminations of the Open5GS SMF process, especially when it handles HTTP POST requests to the endpoint `/nsmf-pdusession/v1/vsmf-pdu-session/{smContextRef}/modify`.
Specifically, detection involves identifying malformed POST requests that include a `qosFlowsAddModRequestList` item with `qfi` and `qosFlowDescription` but omit the required `qosFlowProfile` field, which causes the SMF to crash.
A practical approach is to capture and analyze HTTP traffic to this endpoint for such malformed requests.
- Use network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to `/nsmf-pdusession/v1/vsmf-pdu-session/`.
- Example tcpdump command to capture relevant traffic: `tcpdump -i <interface> -s 0 -w capture.pcap 'tcp port 80 or tcp port 443'`
- Analyze captured traffic for POST requests missing the `qosFlowProfile` field in the JSON payload under `qosFlowsAddModRequestList`.
- Monitor Open5GS SMF logs for segmentation faults or process crashes with exit code 139, which indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing the SMF from processing malformed requests that omit the `qosFlowProfile` field, which triggers the crash.
Since the vulnerability is due to improper handling of input in the `smf_nsmf_handle_update_data_in_vsmf()` function, applying input validation or filtering malformed requests at the network or application firewall level can help.
- Block or filter HTTP POST requests to `/nsmf-pdusession/v1/vsmf-pdu-session/{smContextRef}/modify` that contain `qosFlowsAddModRequestList` items missing the `qosFlowProfile` field.
- Monitor and restart the SMF process if it crashes to maintain service availability.
- Stay updated with Open5GS project communications for patches or official fixes addressing this issue.