CVE-2026-8248 Overview
CVE-2026-8248 is a denial of service vulnerability in Open5GS, an open-source implementation of 5G Core and EPC network functions. The flaw resides in the update_authorized_pcc_rule_and_qos function within /src/smf/npcf-handler.c, part of the Session Management Function (SMF) component. Versions of Open5GS up to and including 2.7.7 are affected. An authenticated remote attacker can manipulate inputs processed by this function to trigger a denial of service condition against the SMF. The exploit details are public, and the upstream project has not yet responded to the issue report. The vulnerability is categorized under [CWE-404] Improper Resource Shutdown or Release.
Critical Impact
Remote attackers with low privileges can disrupt the Session Management Function of Open5GS deployments, impacting 5G/EPC session handling availability.
Affected Products
- Open5GS versions up to and including 2.7.7
- Open5GS SMF (Session Management Function) component
- Deployments using the npcf-handler.c PCC rule and QoS update logic
Discovery Timeline
- 2026-05-10 - CVE-2026-8248 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-8248
Vulnerability Analysis
The vulnerability exists in the update_authorized_pcc_rule_and_qos function in /src/smf/npcf-handler.c. This function handles authorized Policy and Charging Control (PCC) rule and Quality of Service (QoS) updates received via the Npcf interface from the Policy Control Function (PCF). Improper handling of the inputs processed within this function leads to a denial of service condition in the Session Management Function process. Because the SMF is central to PDU session establishment and management in 5G Core deployments, disruption of this component affects subscriber session signaling. The flaw is classified under [CWE-404], reflecting improper resource shutdown or release behavior during rule and QoS updates.
Root Cause
The root cause is improper handling of PCC rule and QoS update data inside update_authorized_pcc_rule_and_qos. The function fails to safely manage resources or validate state transitions when processing authorized rule updates, resulting in an abnormal termination or hang condition. Full technical specifics are documented in the public GitHub Issue #4442 and the VulDB entry #362545.
Attack Vector
The attack vector is network-based and requires low privileges, with no user interaction. An attacker positioned to interact with the SMF over the Service Based Interface, or able to influence PCF-originated update messages reaching the SMF, can trigger the vulnerable code path. Successful exploitation does not yield code execution or data disclosure but causes the SMF to enter a denied service state, breaking session management for connected subscribers. The exploit is reported as publicly available.
No verified proof-of-concept code is published in this advisory. Refer to the Open5GS GitHub repository and the linked issue report for technical context.
Detection Methods for CVE-2026-8248
Indicators of Compromise
- Unexpected crashes, restarts, or hangs of the Open5GS open5gs-smfd process correlated with inbound Npcf SM Policy update traffic.
- Sudden drop in active PDU sessions or spikes in session establishment failures reported by the SMF.
- Anomalous or malformed PCC rule and QoS update messages on the N7 / Npcf interface preceding SMF instability.
Detection Strategies
- Monitor SMF process health, including uptime, restarts, and core dumps, against a baseline.
- Inspect SMF logs for errors emitted from npcf-handler.c and the update_authorized_pcc_rule_and_qos code path.
- Correlate Npcf SM Policy Control traffic patterns with SMF availability metrics to identify trigger events.
Monitoring Recommendations
- Enable verbose logging on the SMF during incident response to capture the message contents preceding a crash.
- Track session establishment success rates, PDU session counts, and N7 message volumes as availability indicators.
- Alert on repeated SMF restarts within short windows, which can indicate active exploitation attempts.
How to Mitigate CVE-2026-8248
Immediate Actions Required
- Inventory all Open5GS deployments and identify instances running version 2.7.7 or earlier.
- Restrict network reachability of the SMF Npcf interface to trusted PCF endpoints only, using network policy or firewall rules.
- Increase monitoring on SMF processes and the Npcf signaling path until an upstream fix is available.
Patch Information
As of the last NVD update on 2026-05-12, the Open5GS project has not published a fix. The issue was reported via GitHub Issue #4442 without a vendor response. Track that issue and the Open5GS repository for upstream patches, and apply updates to a version newer than 2.7.7 once released.
Workarounds
- Place the SMF behind strict network segmentation so that only authorized PCF instances can reach the Npcf interface.
- Apply mutual TLS and authentication policies on the Service Based Interface to prevent unauthenticated message injection.
- Implement automated process supervision to restart the SMF rapidly if it terminates, reducing service outage windows.
- Rate-limit or validate Npcf SM Policy update messages at an upstream proxy or service mesh where feasible.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
