PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8187 Vuldb CVE debrief

CVE-2026-8187 is a medium-severity issue affecting Open5GS UPF in versions up to 2.7.7. The described flaw is in _gtpv1_u_recv_cb within src/upf/gtp-path.c and can be triggered remotely to consume resources. Based on the supplied record, the project was notified early via an issue report, but no response or remediation details were provided in the source corpus.

Vendor
Vuldb
Product
Unknown
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-09
Original CVE updated
2026-05-09
Advisory published
2026-05-09
Advisory updated
2026-05-09

Who should care

Operators and maintainers running Open5GS UPF, especially any deployment exposed to untrusted network traffic. Security teams responsible for telecom core components should treat this as a service-availability risk and verify whether their Open5GS version is within the affected range.

Technical summary

The supplied record states that a manipulation of traffic reaching the UPF receive callback (_gtpv1_u_recv_cb) in src/upf/gtp-path.c can lead to resource consumption from a remote attacker. The mapped weaknesses are CWE-400 and CWE-404, which align with uncontrolled resource use and resource management issues. The record does not provide exploit details, concrete trigger conditions, or a confirmed fix.

Defensive priority

Medium. The issue is remote and can affect availability, but the supplied corpus does not indicate code execution, data exposure, or active exploitation. Prioritize if the UPF is Internet-facing, high-volume, or part of critical mobile-core infrastructure.

Recommended defensive actions

  • Inventory Open5GS deployments and confirm whether UPF is running a version up to 2.7.7.
  • Check the Open5GS project repository and issue tracker references provided in the record for any fix, advisory, or maintainer guidance.
  • Apply vendor or upstream patches as soon as they become available, or constrain exposure to untrusted traffic if immediate upgrading is not possible.
  • Monitor UPF resource usage and service health for abnormal spikes that could indicate abuse of the affected path.
  • If you operate production telecom infrastructure, add this CVE to your change-management and incident-response tracking until remediation status is confirmed.

Evidence notes

This debrief is based only on the supplied CVE record and its referenced official links: the CVE/NVD records plus the Open5GS repository and issue URL listed in the source metadata. The source corpus states: Open5GS up to 2.7.7 is affected; the impacted function is _gtpv1_u_recv_cb in src/upf/gtp-path.c; the impact is resource consumption; the attack can be performed remotely; and the project was informed early via an issue report. No additional technical validation, patch details, or exploit reproduction information was supplied.

Official resources

The CVE was published on 2026-05-09. The supplied record says the project was notified early through an issue report, but the source corpus does not include a response, fix timeline, or confirmation of exploitation in the wild.