CVE-2026-8290 Overview
CVE-2026-8290 is a denial of service vulnerability in Open5GS versions up to 2.7.7. The flaw resides in the smf_nsmf_handle_update_data_in_vsmf function within /src/smf/nsmf-handler.c, a component of the Session Management Function (SMF). An authenticated remote attacker can manipulate input to this handler to trigger a denial of service condition. Public exploit details have been released, increasing the likelihood of attempted exploitation against exposed 5G core deployments. The vulnerability is categorized under [CWE-404] (Improper Resource Shutdown or Release). According to the disclosure, the Open5GS project was notified through an issue report but has not yet responded with a fix.
Critical Impact
Remote authenticated attackers can disrupt SMF service availability in Open5GS-based 5G core networks, affecting session management for connected subscribers.
Affected Products
- Open5GS versions up to and including 2.7.7
- Open5GS SMF component (/src/smf/nsmf-handler.c)
- 5G core deployments using vulnerable Open5GS builds
Discovery Timeline
- 2026-05-11 - CVE-2026-8290 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-8290
Vulnerability Analysis
The vulnerability affects the smf_nsmf_handle_update_data_in_vsmf function inside /src/smf/nsmf-handler.c. This handler processes Nsmf service-based interface requests related to updating session data in the visited SMF (V-SMF) during roaming or session continuity scenarios. Improper resource handling within this function allows a remote attacker with low privileges to send crafted input that disrupts the SMF process. The CWE-404 classification indicates the underlying defect involves improper shutdown or release of resources, which can leave the SMF in a degraded state and interrupt service for subscribers relying on the affected node.
Root Cause
The root cause is improper resource management in the Nsmf update handler. When the SMF receives a malformed or unexpected update request, the code path fails to release or correctly handle internal resources. Repeated triggering of this code path destabilizes the SMF process, producing a denial of service condition. The Open5GS project has not yet issued an official root-cause statement or patch for the reported issue.
Attack Vector
The attack is conducted over the network against the SMF service-based interface. The attacker requires low-level privileges, consistent with the ability to interact with the 5G service-based architecture as a peer Network Function. No user interaction is required. Because the SMF mediates session establishment and management, disruption affects PDU session creation, modification, and teardown for connected User Equipment. The vulnerability description states the exploit has been publicly released and may be used in attacks. See the GitHub Issue #4454 and VulDB #362587 entries for further technical details.
Detection Methods for CVE-2026-8290
Indicators of Compromise
- Unexpected restarts or crashes of the Open5GS smf process correlating with inbound Nsmf update requests
- Spikes in malformed or unusual SBI traffic targeting the SMF Nsmf endpoint
- Failed PDU session updates or session continuity errors reported by AMF or peer SMFs
- Log entries referencing smf_nsmf_handle_update_data_in_vsmf errors or resource exhaustion
Detection Strategies
- Monitor SMF process health, memory usage, and restart counts in deployment orchestration platforms
- Inspect Nsmf service-based interface traffic for malformed JSON payloads or unexpected schema deviations
- Correlate session management failures across AMF, SMF, and UPF logs to identify abuse patterns
- Enable verbose logging on Open5GS SMF during incident triage to capture handler-level errors
Monitoring Recommendations
- Deploy continuous availability monitoring for SMF endpoints with alerting on service interruptions
- Aggregate Open5GS logs into a central platform and apply rules for resource handling errors
- Track SBI peer behavior and flag NF consumers issuing repeated or anomalous update requests
- Use rate-based detections on Nsmf update operations targeting the V-SMF role
How to Mitigate CVE-2026-8290
Immediate Actions Required
- Restrict network access to the Open5GS SMF SBI to authenticated, trusted peer Network Functions only
- Place 5G core control plane traffic on isolated network segments away from general-purpose networks
- Increase monitoring of SMF process stability and Nsmf request volumes
- Track the upstream Open5GS repository for an official patch
Patch Information
At the time of publication, the Open5GS project has not released an official patch for CVE-2026-8290. The disclosure indicates the maintainers were notified via GitHub Issue #4454 but had not yet responded. Operators running Open5GS up to and including version 2.7.7 should monitor the project's repository for security updates and apply fixes once available.
Workarounds
- Enforce mutual TLS and strict authorization on the SBI to limit which NFs can reach SMF Nsmf endpoints
- Apply network policy or service mesh rules that allow only known peer SMFs and AMFs to invoke update operations
- Implement rate limiting at the SBI ingress to throttle abusive update request volumes
- Consider running redundant SMF instances behind a load balancer to maintain availability during exploitation attempts
# Example: restrict SMF SBI access using iptables to trusted peer NFs
iptables -A INPUT -p tcp --dport 7777 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
