CVE-2026-8269 Overview
CVE-2026-8269 is a denial of service vulnerability affecting Open5GS versions up to 2.7.7. The flaw resides in the smf_nsmf_handle_create_sm_context function of the Session Management Function (SMF) component. Remote attackers with low privileges can manipulate input to this function and trigger a denial of service condition. The vulnerability is classified under CWE-404 (Improper Resource Shutdown or Release). Public exploit details have been released, and the Open5GS project was notified through an issue report but has not yet responded.
Critical Impact
Remote authenticated attackers can disrupt the Open5GS SMF component, impacting 5G session management availability for connected subscribers.
Affected Products
- Open5GS versions up to and including 2.7.7
- Session Management Function (SMF) component
- Deployments using the smf_nsmf_handle_create_sm_context handler
Discovery Timeline
- 2026-05-11 - CVE-2026-8269 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-8269
Vulnerability Analysis
The vulnerability exists in the smf_nsmf_handle_create_sm_context function within the Open5GS SMF component. This function processes Create SM Context requests as part of the Nsmf service-based interface defined in 3GPP 5G core network specifications. Improper resource shutdown or release ([CWE-404]) within this handler allows a remote attacker to cause the SMF process to enter a denial of service state.
Open5GS is an open-source implementation of 5G Core and EPC network functions. The SMF is responsible for session establishment, modification, and release for user equipment. A disruption of this component prevents subscribers from establishing new PDU sessions, breaking 5G connectivity for affected deployments.
The EPSS probability is 0.045% (14th percentile), indicating low predicted exploitation likelihood despite public exploit availability.
Root Cause
The root cause is improper resource handling within smf_nsmf_handle_create_sm_context. When malformed or specifically crafted Create SM Context requests arrive at the SMF, the function fails to properly release or shut down associated resources. This leads to a service-disrupting condition classified under [CWE-404].
Attack Vector
The attack vector is network-based and requires low privileges, with no user interaction. An attacker positioned to send Nsmf service-based interface requests to the SMF can repeatedly invoke the vulnerable handler. The result is loss of availability for the SMF, while confidentiality and integrity remain unaffected.
No verified exploit code is published in a structured proof-of-concept repository. Refer to GitHub Issue #4450 and the VulDB Vulnerability Record for additional technical context.
// No verified exploitation code available
// See GitHub Issue #4450 for technical details on the SMF DoS condition
Detection Methods for CVE-2026-8269
Indicators of Compromise
- Repeated Create SM Context requests to the SMF Nsmf interface originating from a narrow set of source addresses
- SMF process crashes, restarts, or unresponsiveness in Open5GS deployments running 2.7.7 or earlier
- Subscriber reports of failed PDU session establishment correlated with SMF anomalies
- Abnormal resource consumption patterns in the SMF process prior to service disruption
Detection Strategies
- Monitor SMF logs for errors generated by the smf_nsmf_handle_create_sm_context code path
- Inspect Nsmf interface traffic for malformed Create SM Context payloads using a service-based interface aware analyzer
- Track SMF process uptime and restart counts; sudden drops indicate possible exploitation
- Correlate session establishment failure rates with inbound Nsmf request volumes
Monitoring Recommendations
- Ingest SMF and 5G core function logs into a centralized analytics platform for baseline behavior modeling
- Alert on unexpected restarts of Open5GS network functions, particularly the SMF binary
- Establish thresholds for Create SM Context request rates per source and alert on deviations
- Monitor host-level metrics (memory, file descriptors, CPU) for the SMF process to detect resource exhaustion
How to Mitigate CVE-2026-8269
Immediate Actions Required
- Inventory all Open5GS deployments and identify instances running version 2.7.7 or earlier
- Restrict network access to the SMF Nsmf service-based interface using strict allow-lists for known AMF and peer NF addresses
- Enable rate limiting on Nsmf endpoints to throttle Create SM Context requests from any single source
- Track the Open5GS GitHub repository and Issue #4450 for upstream remediation status
Patch Information
At the time of publication, the Open5GS maintainers had not responded to the issue report and no official patch is available. Operators should monitor the Open5GS GitHub Repository for commits addressing smf_nsmf_handle_create_sm_context and apply fixes as soon as they are released. Until a patch ships, defense-in-depth network controls are required.
Workarounds
- Place the SMF behind a service mesh or API gateway that validates Nsmf request structure before forwarding
- Deploy network segmentation so the SMF is reachable only from authorized 5G core network functions
- Implement automatic SMF process supervision with health checks and rapid restart to reduce outage duration
- Consider running redundant SMF instances behind a load balancer to maintain availability during exploitation attempts
# Example: restrict Nsmf interface exposure with iptables
# Allow only known AMF peer IPs to reach the SMF SBI port
iptables -A INPUT -p tcp --dport 7777 -s <AMF_IP> -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
