CVE-2026-8267 Overview
CVE-2026-8267 is a denial of service vulnerability in Open5GS versions up to 2.7.7. The flaw resides in the smf_nsmf_handle_created_data_in_vsmf function within the Session Management Function (SMF) component. An authenticated remote attacker can manipulate input to this function to cause a denial of service condition. The vulnerability is classified under CWE-404 (Improper Resource Shutdown or Release). A public exploit has been disclosed, and the Open5GS project was notified through a GitHub issue but has not yet responded at the time of publication.
Critical Impact
Remote attackers with low privileges can trigger a denial of service against the Open5GS SMF, disrupting 5G core network session management functionality.
Affected Products
- Open5GS versions up to and including 2.7.7
- Open5GS SMF (Session Management Function) component
- Deployments exposing the smf_nsmf_handle_created_data_in_vsmf function to network access
Discovery Timeline
- 2026-05-11 - CVE-2026-8267 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-8267
Vulnerability Analysis
The vulnerability affects the smf_nsmf_handle_created_data_in_vsmf function within the Open5GS SMF. Open5GS is an open-source implementation of 5G Core and EPC components used in mobile network deployments. The SMF handles Protocol Data Unit (PDU) session establishment, modification, and release in 5G networks. When the SMF processes specially crafted data through the affected handler, it fails to properly manage resources, leading to a denial of service.
The issue is categorized as [CWE-404] Improper Resource Shutdown or Release. This class of weakness occurs when a system does not properly release resources after they are no longer needed, resulting in resource exhaustion or unstable program state. In the context of the SMF, this can interrupt session management for connected user equipment.
Root Cause
The root cause lies in how the smf_nsmf_handle_created_data_in_vsmf function handles Nsmf service-based interface data when the SMF acts as a Visited SMF (vSMF) during roaming or session creation scenarios. Improper validation or resource handling within this function path allows attacker-supplied input to disrupt normal execution flow. The Open5GS project has been informed through GitHub Issue #4448 but has not yet released a fix.
Attack Vector
The attack is initiated remotely over the network and requires low privileges. An attacker with access to the Nsmf service-based interface can send malformed or unexpected data to the affected handler. Because the SMF is a core component of 5G session management, a successful attack disrupts availability for subscribers relying on that SMF instance. No user interaction is required.
The vulnerability mechanism is documented in the public references. See the GitHub Open5GS Repository and VulDB Vulnerability #362564 for additional technical context.
Detection Methods for CVE-2026-8267
Indicators of Compromise
- Unexpected restarts, crashes, or hangs of the Open5GS SMF process
- Spikes in failed PDU session establishment or modification requests
- Anomalous Nsmf service-based interface traffic from unauthorized peers
- Log entries referencing failures in the smf_nsmf_handle_created_data_in_vsmf code path
Detection Strategies
- Monitor Open5GS SMF process health and restart counts using infrastructure monitoring tools
- Inspect application logs for errors generated near the smf_nsmf_handle_created_data_in_vsmf function
- Capture and analyze Service-Based Interface (SBI) HTTP/2 traffic toward the SMF for malformed payloads
- Compare Open5GS deployment versions against the affected range (up to 2.7.7) for exposure assessment
Monitoring Recommendations
- Establish baselines for SMF availability, session counts, and SBI request rates
- Forward Open5GS logs and host telemetry to a centralized SIEM for correlation
- Alert on repeated SMF crashes or systemd service restarts within short time windows
- Track requests to Nsmf endpoints from unexpected source addresses or producer identifiers
How to Mitigate CVE-2026-8267
Immediate Actions Required
- Inventory all Open5GS deployments and identify instances running version 2.7.7 or earlier
- Restrict network access to the SMF Nsmf interface using firewall rules and network policies
- Enforce mutual TLS and strict peer authentication on Service-Based Interfaces
- Subscribe to updates on GitHub Issue #4448 to track upstream remediation
Patch Information
At the time of publication, the Open5GS project has not released a patch addressing CVE-2026-8267. Monitor the GitHub Open5GS Repository and the project's release notes for fixes. Apply updates as soon as they become available and validate them in a staging environment before production rollout.
Workarounds
- Limit Nsmf service-based interface exposure to trusted 5G core network functions only
- Deploy rate limiting and anomaly detection on SBI traffic destined for the SMF
- Run multiple SMF instances behind load balancers to maintain availability if one instance is disrupted
- Isolate Open5GS components in segmented network zones to reduce the remote attack surface
# Example: restrict access to the Open5GS SMF SBI port using iptables
# Replace 7777 with your configured SMF SBI port and adjust trusted CIDR
iptables -A INPUT -p tcp --dport 7777 -s 10.10.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
