Description
A vulnerability was found in Open5GS up to 2.7.7. Affected by this vulnerability is the function pcf_sess_sbi_discover_and_send of the component sm-policies Endpoint. Performing a manipulation results in denial of service. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-10
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the pcf_sess_sbi_discover_and_send function of Open5GS's sm-policies endpoint. An attacker can supply a crafted request that causes the function to crash or hang, resulting in a denial of service against the endpoint. Evidence from the CVE description indicates that exploitation is possible remotely and the exploit code has already been made public.

Affected Systems

Open5GS (software vendor Open5GS), specifically all releases up to version 2.7.7. The sm‑policies component of the 5G Core network is affected. Systems running those versions that expose the sm‑policies endpoint are potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog, but the existence of a publicly available exploit and the remote nature of the attack increase the risk of real‑world attacks. The likely attack vector is over the network, targeting the sm‑policies endpoint through the 5G Core protocol stack.

Generated by OpenCVE AI on May 10, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Open5GS release that contains the fix for the sm‑policies endpoint.
  • If an upgrade is not immediately available, restrict or block traffic to the sm‑policies endpoint using firewall or WAF rules to mitigate the attack surface.
  • Continuously monitor system logs and performance metrics for repeated failures or unexpected terminations of the sm‑policies service to detect ongoing exploitation attempts.

Generated by OpenCVE AI on May 10, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 03:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Open5GS up to 2.7.7. Affected by this vulnerability is the function pcf_sess_sbi_discover_and_send of the component sm-policies Endpoint. Performing a manipulation results in denial of service. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Title Open5GS sm-policies Endpoint pcf_sess_sbi_discover_and_send denial of service
First Time appeared Open5gs
Open5gs open5gs
Weaknesses CWE-404
CPEs cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*
Vendors & Products Open5gs
Open5gs open5gs
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Open5gs Open5gs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-10T02:45:08.468Z

Reserved: 2026-05-09T07:35:21.709Z

Link: CVE-2026-8223

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T03:16:08.863

Modified: 2026-05-10T03:16:08.863

Link: CVE-2026-8223

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T04:30:04Z

Weaknesses