CVE-2026-8268 Overview
CVE-2026-8268 is a denial of service vulnerability in Open5GS versions up to 2.7.7. The flaw resides in the OpenAPI_list_create function within the Session Management Function (SMF) component. Remote attackers with low privileges can manipulate inputs to this function to trigger a denial of service condition. The issue is categorized under [CWE-404] (Improper Resource Shutdown or Release).
The vulnerability has been publicly disclosed and the Open5GS project was notified through an issue report but has not yet responded. Open5GS is a widely used open-source implementation of 4G/LTE and 5G Core network functions, making the SMF a critical component for mobile core deployments.
Critical Impact
Remote attackers can disrupt the SMF component of Open5GS deployments, affecting session management in 4G/5G core network operations.
Affected Products
- Open5GS versions up to and including 2.7.7
- Open5GS SMF (Session Management Function) component
- Deployments using OpenAPI_list_create in service-based architecture
Discovery Timeline
- 2026-05-11 - CVE-2026-8268 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-8268
Vulnerability Analysis
The vulnerability affects the OpenAPI_list_create function used by the Open5GS SMF component. Open5GS implements 3GPP service-based interfaces using OpenAPI structures, and OpenAPI_list_create is invoked when constructing list objects for HTTP/2-based Network Function (NF) communications.
When the function processes attacker-influenced input, it fails to properly release or manage allocated resources. Repeated exploitation degrades the availability of the SMF, which manages PDU sessions for User Equipment (UE) attached to the mobile core. Loss of SMF availability disrupts session establishment, modification, and release across the network.
The attacker requires network reachability to the affected SMF interface and a low level of privilege, but no user interaction. Confidentiality and integrity are not affected by this issue.
Root Cause
The root cause is improper resource shutdown or release [CWE-404] within OpenAPI_list_create. The function does not adequately handle resource lifecycle when processing certain inputs, leading to resource consumption or process disruption in the SMF.
Attack Vector
An attacker reaches the SMF over the network and submits crafted requests that traverse the OpenAPI list construction path. Because the SMF participates in service-based interfaces with other Network Functions, any peer with access to these interfaces can submit traffic that reaches the vulnerable code path. The exploit has been publicly disclosed, increasing the likelihood of opportunistic abuse against exposed mobile core deployments.
No verified proof-of-concept code is published in the referenced advisories. See the GitHub Issue Tracker #4449 and VulDB Vulnerability #362565 for technical context.
Detection Methods for CVE-2026-8268
Indicators of Compromise
- Unexpected restarts, crashes, or hangs of the Open5GS smf process
- Spikes in memory or file descriptor usage by the SMF process without corresponding session load
- Failed PDU session establishment requests reported by AMF or UPF peers
Detection Strategies
- Monitor SMF process logs for abnormal termination, assertion failures, or resource allocation errors during OpenAPI message handling
- Inspect service-based interface (SBI) traffic for malformed or unusual list structures targeting the SMF
- Correlate SMF availability metrics with inbound HTTP/2 request patterns to identify abuse
Monitoring Recommendations
- Track SMF uptime, restart counts, and resource utilization through Prometheus or equivalent telemetry
- Alert on sustained increases in 5xx responses from the SMF on N11, N7, and N10 interfaces
- Capture and retain SBI traffic samples for forensic analysis when SMF degradation is observed
How to Mitigate CVE-2026-8268
Immediate Actions Required
- Restrict network access to the SMF service-based interfaces to authorized Network Functions only
- Deploy network segmentation and firewall rules around the 5G core control plane
- Monitor the Open5GS GitHub repository for a fixed release and apply updates once available
Patch Information
No official patch has been released. The project was informed through GitHub Issue #4449 but has not yet responded. Operators should track the upstream repository and the VulDB entry #362565 for remediation status.
Workarounds
- Limit SBI exposure using mTLS and strict peer authentication between Network Functions
- Place a hardened reverse proxy or API gateway in front of the SMF to validate OpenAPI message structures
- Apply rate limiting on inbound HTTP/2 requests to the SMF to reduce the impact of repeated exploitation attempts
- Maintain process supervision (systemd, Kubernetes liveness probes) to recover the SMF quickly after disruption
# Example: restrict SMF SBI access to known NF peers via iptables
iptables -A INPUT -p tcp --dport 7777 -s <AMF_IP> -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -s <UPF_IP> -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
