CVE-2026-8270 Overview
CVE-2026-8270 is a denial of service vulnerability in Open5GS, an open-source implementation of 5G Core and EPC components. The flaw resides in the ogs_nas_parse_qos_rules function within the Session Management Function (SMF) component. Affected versions include Open5GS releases up to and including 2.7.7. A remote authenticated attacker with low privileges can manipulate input to trigger improper resource handling [CWE-404], causing the SMF process to enter a denial of service condition. The exploit details have been publicly disclosed through VulDB, though the upstream project has not yet acknowledged the report.
Critical Impact
Remote attackers with low privileges can disrupt 5G core network signaling by crashing or degrading the Open5GS SMF component, impacting subscriber session management.
Affected Products
- Open5GS versions up to and including 2.7.7
- Open5GS SMF (Session Management Function) component
- Deployments using ogs_nas_parse_qos_rules for NAS QoS rule parsing
Discovery Timeline
- 2026-05-11 - CVE-2026-8270 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-8270
Vulnerability Analysis
The vulnerability affects Open5GS, a C-language implementation of the 5G Core (5GC) and Evolved Packet Core (EPC) used for mobile network research and production deployments. The defect lies in the ogs_nas_parse_qos_rules function, which is responsible for parsing Quality of Service (QoS) rules carried within Non-Access Stratum (NAS) signaling messages handled by the SMF.
When a crafted NAS message containing malformed QoS rule data is processed, the parser fails to release or correctly manage allocated resources. This behavior aligns with [CWE-404] Improper Resource Shutdown or Release. The result is a denial of service condition affecting the SMF, a core network function responsible for PDU session management in 5G deployments.
Root Cause
The root cause is improper resource handling inside ogs_nas_parse_qos_rules. The function does not robustly validate or clean up state when parsing malformed QoS rule structures. Repeated exposure to crafted input degrades the SMF until it can no longer service legitimate sessions.
Attack Vector
The attack vector is network-based and requires low privileges. An attacker positioned to send NAS signaling toward the Open5GS SMF can deliver malformed QoS rule data to trigger the fault. No user interaction is required. Because public disclosure references the issue through GitHub Issue #4451 and VulDB #362567, exploitation details are publicly accessible.
No verified proof-of-concept code is available in the enriched data. Refer to the Open5GS GitHub repository and the linked issue for technical specifics.
Detection Methods for CVE-2026-8270
Indicators of Compromise
- Unexpected crashes, restarts, or hangs of the Open5GS SMF process
- Spikes in malformed or rejected NAS PDU Session Establishment or Modification messages
- Loss of PDU session continuity for subscribers attached through the affected SMF
Detection Strategies
- Monitor SMF service logs for parsing errors referencing QoS rule handling or ogs_nas_parse_qos_rules
- Inspect NAS signaling traffic for anomalous QoS rule IE lengths or malformed encoding patterns
- Correlate SMF availability metrics with surges in session establishment failures across the 5GC
Monitoring Recommendations
- Enable process-level health monitoring on all Open5GS SMF nodes with alerting on abnormal termination
- Capture and retain NAS-layer packet traces at the AMF-SMF interface for forensic review
- Track signaling error rates as a leading indicator of attempted exploitation
How to Mitigate CVE-2026-8270
Immediate Actions Required
- Restrict network access to the Open5GS SMF so only trusted 5G core elements can reach its signaling interfaces
- Apply strict authentication and segmentation between the radio access network and core network functions
- Track the upstream Open5GS GitHub repository for a fix addressing ogs_nas_parse_qos_rules
Patch Information
No vendor patch is referenced in the available advisory data. The project was informed through GitHub Issue #4451 but has not publicly responded. Operators running Open5GS 2.7.7 or earlier should monitor the repository for an updated release and apply it once available.
Workarounds
- Limit exposure of the SMF to untrusted networks using firewall rules and network segmentation
- Deploy rate limiting and anomaly detection on NAS signaling traffic to the SMF
- Implement SMF redundancy so a single component failure does not result in subscriber-wide outage
- Review logs and intrusion detection feeds for traffic patterns referenced in VulDB #362567 CTI Information
# Example: restrict SMF NAS-relevant ports to trusted AMF subnets using iptables
iptables -A INPUT -p sctp --dport 38412 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p sctp --dport 38412 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
