CVE-2026-8249 Overview
CVE-2026-8249 affects Open5GS versions up to 2.7.7. The flaw resides in the update_authorized_pcc_rule_and_qos function within /src/smf/npcf-handler.c, a component of the Session Management Function (SMF). An authenticated remote attacker can trigger a denial of service (DoS) condition by manipulating input processed by this function. The vulnerability is categorized under [CWE-404] Improper Resource Shutdown or Release. A public exploit has been published, increasing the likelihood of opportunistic abuse against exposed Open5GS deployments. The Open5GS project has been notified through an issue report but has not yet responded with a fix.
Critical Impact
Remote attackers with low privileges can crash the Open5GS SMF service, disrupting 5G core network session management.
Affected Products
- Open5GS versions up to and including 2.7.7
- Open5GS SMF (Session Management Function) component
- Deployments running the npcf-handler.c PCC rule and QoS update logic
Discovery Timeline
- 2026-05-10 - CVE-2026-8249 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-8249
Vulnerability Analysis
The defect exists in the update_authorized_pcc_rule_and_qos function in /src/smf/npcf-handler.c. This routine handles Policy and Charging Control (PCC) rule updates and Quality of Service (QoS) authorization data exchanged between the SMF and the Policy Control Function (PCF) over the Npcf service-based interface. Improper resource handling during the update flow allows a remote actor to crash or stall the SMF process. Because the SMF orchestrates PDU session establishment in a 5G core, disruption affects all subscribers relying on the affected instance. The exploitation requires network reachability to the SMF and low-level privileges within the service-based architecture.
Root Cause
The root cause maps to [CWE-404] Improper Resource Shutdown or Release. The update_authorized_pcc_rule_and_qos function fails to correctly release or validate resources when processing certain PCC rule or QoS update messages. This leads to abnormal termination or resource exhaustion within the SMF process. The Open5GS project has acknowledged the issue tracker entry but has not yet issued a code fix.
Attack Vector
The attack vector is network-based. An attacker positioned on the 5G service-based interface, or with the ability to send crafted Npcf messages to the SMF endpoint, can invoke the vulnerable handler. Successful exploitation does not require user interaction. The exploit has been published, lowering the technical barrier for adversaries.
No verified proof-of-concept code is included here. Refer to the GitHub Issue Tracker #4443 and VulDB Vulnerability #362546 for technical analysis.
Detection Methods for CVE-2026-8249
Indicators of Compromise
- Unexpected restarts or crashes of the Open5GS SMF process correlated with inbound Npcf traffic
- Malformed or anomalous PCC rule and QoS update messages on the SMF service-based interface
- Gaps in PDU session establishment logs followed by SMF process termination entries
Detection Strategies
- Monitor SMF process health and exit codes through systemd journal or container orchestrator events
- Inspect Npcf message payloads for malformed PCC rule structures targeting update_authorized_pcc_rule_and_qos
- Correlate SMF crash events with source IPs of Npcf clients to identify probing patterns
Monitoring Recommendations
- Enable verbose logging in Open5GS SMF to capture inbound Npcf request details
- Forward 5G core control-plane logs to a centralized SIEM for retention and alerting
- Track service availability metrics for the SMF and alert on repeated restarts within short windows
How to Mitigate CVE-2026-8249
Immediate Actions Required
- Restrict network access to the SMF service-based interface to trusted PCF nodes only
- Apply network segmentation and firewall rules between 5G core network functions
- Monitor the GitHub Open5GS Repository for an upstream fix and apply it as soon as it is released
- Maintain process supervision so that the SMF restarts automatically after a crash
Patch Information
No official patch has been released at the time of publication. The Open5GS maintainers have been informed via GitHub Issue Tracker #4443 but have not yet responded. Operators should track the upstream repository and apply security updates once available.
Workarounds
- Place the SMF behind a service mesh or API gateway that validates Npcf message structure before forwarding
- Limit which PCF instances are authorized to send PCC rule updates using mutual TLS and allowlisting
- Deploy redundant SMF instances behind a load balancer to absorb single-process crashes without subscriber impact
# Example: restrict inbound traffic to the SMF Npcf listener to trusted PCF hosts
iptables -A INPUT -p tcp --dport 7777 -s <trusted_pcf_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
