CVE-2026-8250 Overview
CVE-2026-8250 is a denial of service vulnerability in Open5GS versions up to 2.7.7. The flaw resides in the smf_n4_build_qos_flow_to_modify_list function within /src/smf/n4-build.c, a component of the Session Management Function (SMF). Attackers can trigger the condition remotely with low-privilege network access. The vulnerability is classified under CWE-404: Improper Resource Shutdown or Release. A public exploit disclosure exists, but the Open5GS project had not responded to the upstream issue report at the time of publication.
Critical Impact
Remote attackers with low privileges can disrupt SMF availability in Open5GS deployments, affecting 5G core session management.
Affected Products
- Open5GS versions up to and including 2.7.7
- Open5GS Session Management Function (SMF) component
- Deployments using /src/smf/n4-build.c with the vulnerable QoS flow build logic
Discovery Timeline
- 2026-05-10 - CVE-2026-8250 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-8250
Vulnerability Analysis
The vulnerability affects the smf_n4_build_qos_flow_to_modify_list function in the Open5GS SMF module. This function builds the Quality of Service (QoS) flow modification list used in N4 interface messages between the SMF and the User Plane Function (UPF). Improper resource handling in this code path leads to a denial of service condition when an attacker manipulates the relevant input.
Open5GS is an open-source implementation of 5G Core and EPC components. The SMF handles session establishment, modification, and release for user equipment. Disrupting the SMF impacts subscriber session management across the mobile core network.
Root Cause
The root cause is improper resource shutdown or release [CWE-404] in the smf_n4_build_qos_flow_to_modify_list function. When the function processes specific QoS flow modification requests, resources are not handled correctly, leading to abnormal termination of the SMF process.
Attack Vector
The attack is network-based and requires low privileges. An authenticated attacker capable of sending N4 PFCP messages to the SMF can trigger the vulnerable code path remotely. No user interaction is required. The exploit details have been disclosed publicly through VulDB entry #362547 and the corresponding GitHub Issue #4444.
No verified proof-of-concept code is published in this advisory. Refer to the Open5GS repository for source-level analysis of the affected function.
Detection Methods for CVE-2026-8250
Indicators of Compromise
- Unexpected restarts or crashes of the open5gs-smfd process correlated with inbound N4/PFCP traffic
- Abnormal QoS flow modification requests targeting the SMF on PFCP port 8805
- Loss of subscriber session continuity coinciding with malformed PFCP session modification messages
Detection Strategies
- Monitor SMF process health and log entries for crashes inside smf_n4_build_qos_flow_to_modify_list
- Inspect PFCP session modification messages for malformed or unexpected QoS flow modify Information Elements
- Correlate SMF service interruptions with source IP addresses sending N4 traffic to identify abusive peers
Monitoring Recommendations
- Enable verbose logging in Open5GS SMF and aggregate logs into a central SIEM for correlation
- Track PFCP message rates per source UPF and alert on anomalies
- Establish baseline availability metrics for the SMF and alert on service restarts beyond normal thresholds
How to Mitigate CVE-2026-8250
Immediate Actions Required
- Restrict N4/PFCP interface exposure to trusted UPF peers using network segmentation and firewall rules
- Audit Open5GS deployments to identify instances running version 2.7.7 or earlier
- Monitor the Open5GS GitHub Issue #4444 for upstream remediation status
Patch Information
No official patch has been released at the time of publication. The Open5GS project was notified through an issue report but has not yet responded. Track the Open5GS repository for fixes to /src/smf/n4-build.c.
Workarounds
- Place the SMF behind a PFCP-aware gateway that validates session modification messages before forwarding
- Apply strict access control lists so only authorized UPF nodes can reach the SMF N4 endpoint
- Implement process supervisors that automatically restart the SMF and capture crash artifacts for analysis
# Example iptables rule restricting PFCP (port 8805) to trusted UPF peers
iptables -A INPUT -p udp --dport 8805 -s <trusted_upf_ip> -j ACCEPT
iptables -A INPUT -p udp --dport 8805 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
