CVE-2026-8222: Open5GS DoS Vulnerability in PCF Handler

CVE-2026-8222 Overview

CVE-2026-8222 is a denial of service vulnerability in Open5GS, an open source implementation of 5G Core and Evolved Packet Core (EPC) network functions. The flaw affects versions up to and including 2.7.7 and resides in the pcf_nbsf_management_handle_register function within src/pcf/nbsf-handler.c. The vulnerable code belongs to the sm-policies endpoint of the Policy Control Function (PCF) component. Remote attackers can exploit the issue without authentication or user interaction. The exploit details have been publicly disclosed, though the Open5GS project has not yet responded to the issue report. The weakness is classified as [CWE-404] Improper Resource Shutdown or Release.

Critical Impact

Unauthenticated remote attackers can trigger a denial of service condition against the PCF sm-policies endpoint, disrupting 5G Core policy control operations.

Affected Products

• Open5GS versions up to and including 2.7.7
• Open5GS PCF (Policy Control Function) component
• Open5GS sm-policies endpoint handler

Discovery Timeline

• 2026-05-10 - CVE-2026-8222 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-8222

Vulnerability Analysis

The vulnerability resides in the pcf_nbsf_management_handle_register function inside src/pcf/nbsf-handler.c. This function processes registration requests on the PCF sm-policies endpoint, which is part of the Nbsf (Binding Support Function) management interface used in 5G Service Based Architecture. Improper resource shutdown or release during the handling of these requests allows an attacker to disrupt service availability. The Common Weakness Enumeration assigns this issue to [CWE-404], indicating that resources are not properly released after use. Successful exploitation impacts the availability of the PCF, which controls policy and charging functions across the 5G Core.

Root Cause

The root cause is improper resource handling within the Nbsf registration handler. When the function processes a crafted registration request, it fails to release or clean up resources correctly. Over repeated requests or with malformed input, this leads to resource exhaustion or premature termination of the PCF process. The PCF is a central control plane component, and its degradation cascades into broader 5G session management failures.

Attack Vector

The attack is performed remotely over the network without authentication or user interaction. An attacker with reachability to the PCF sm-policies endpoint sends crafted Nbsf management registration traffic to the vulnerable handler. Because Service Based Interfaces in a 5G Core are typically reachable by other network functions on a control plane network, exposure depends on how strictly that plane is segmented. Public disclosure of the exploit increases the risk of opportunistic reuse against exposed Open5GS deployments.

No verified exploit code has been published in a curated repository at this time. See the GitHub Issue #4437 and VulDB Vulnerability #362439 for additional technical details.

Detection Methods for CVE-2026-8222

Indicators of Compromise

• Unexpected crashes, restarts, or hangs of the Open5GS PCF process coinciding with inbound Nbsf traffic.
• Spikes in HTTP/2 requests to the PCF sm-policies endpoint from unusual or unauthorized source addresses.
• Malformed or anomalous Nbsf management registration payloads observed in PCF logs.

Detection Strategies

• Inspect PCF service logs for repeated registration attempts or errors originating from pcf_nbsf_management_handle_register.
• Correlate PCF process restarts with control plane traffic captures targeting the sm-policies endpoint.
• Deploy network monitoring on the 5G Service Based Interface to flag unauthenticated peers contacting PCF endpoints.

Monitoring Recommendations

• Track PCF availability metrics and alert on abnormal restart counts or memory growth.
• Enable verbose logging on the Nbsf management handler during incident triage to capture offending payloads.
• Forward Open5GS logs and 5G Core telemetry into a centralized analytics platform for cross-component correlation.

How to Mitigate CVE-2026-8222

Immediate Actions Required

• Restrict network access to the PCF sm-policies endpoint to trusted 5G Core network functions only.
• Monitor the Open5GS GitHub repository and Issue #4437 for an official fix or patch commit.
• Audit current Open5GS deployments to identify instances running version 2.7.7 or earlier.

Patch Information

At the time of publication, the Open5GS project has not released an official patch for CVE-2026-8222. The issue was reported through a public GitHub issue, but no vendor response has been recorded. Operators should track upstream commits to src/pcf/nbsf-handler.c and apply the fix as soon as it is published. Until then, compensating controls at the network layer are required.

Workarounds

• Enforce strict network segmentation so only authorized 5G Core network functions can reach the PCF Service Based Interface.
• Apply mutual TLS authentication between network functions on the SBI to prevent unauthenticated peers from contacting the PCF.
• Place rate limiting in front of the PCF sm-policies endpoint to reduce the impact of repeated malicious registrations.
• Configure process supervision to automatically restart the PCF and alert operators if it terminates unexpectedly.

# Configuration example: restrict PCF SBI exposure with host firewall rules
# Allow only known 5G Core network function IPs to reach the PCF sm-policies endpoint
iptables -A INPUT -p tcp --dport 7777 -s <AMF_IP> -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -s <SMF_IP> -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP