Description
A vulnerability was found in Open5GS up to 2.7.7. This impacts the function update_authorized_pcc_rule_and_qos of the file /src/smf/npcf-handler.c of the component SMF. Performing a manipulation results in denial of service. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability was found in Open5GS up to version 2.7.7 that affects the function update_authorized_pcc_rule_and_qos in the file /src/smf/npcf-handler.c. An attacker can manipulate this handler to trigger a denial of service, causing the SMF component to crash. The flaw is classified as CWE-404, indicating improper resource shutdown or release.

Affected Systems

The affected vendor is Open5GS. The Open5GS SMF component is specifically impacted, with vulnerabilities present in version 2.7.7 and earlier.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate severity, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation can be carried out remotely by sending a specially crafted request to the SMF endpoint. Because the project was informed but has not released a fix yet, an attacker with network reach to the SMF interface could repeatedly crash the service, disrupting network connectivity for users.

Generated by OpenCVE AI on May 11, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official patch or upgrade Open5GS to a version later than 2.7.7 when released.
  • If no patch is available, reduce the attack surface by restricting access to SMF API endpoints to trusted networks or disabling the update_authorized_pcc_rule_and_qos handler.
  • Implement rate‑limiting or connection throttling on SMF API calls to mitigate repeated requests that may trigger the denial of service.
  • Continuously monitor SMF logs for abnormal usage patterns and set alerts for potential denial‑of‑service attempts.

Generated by OpenCVE AI on May 11, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 23:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Open5GS up to 2.7.7. This impacts the function update_authorized_pcc_rule_and_qos of the file /src/smf/npcf-handler.c of the component SMF. Performing a manipulation results in denial of service. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Title Open5GS SMF npcf-handler.c update_authorized_pcc_rule_and_qos denial of service
First Time appeared Open5gs
Open5gs open5gs
Weaknesses CWE-404
CPEs cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*
Vendors & Products Open5gs
Open5gs open5gs
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Open5gs Open5gs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-10T23:00:21.455Z

Reserved: 2026-05-10T14:40:06.984Z

Link: CVE-2026-8251

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-10T23:16:27.563

Modified: 2026-05-11T15:10:16.663

Link: CVE-2026-8251

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T00:30:24Z

Weaknesses