CVE-2026-8223 Vuldb CVE debrief

Who should care

Operators and defenders running Open5GS deployments, especially those exposing or relying on the SM policies endpoint, should review this issue. Network service teams should care because the impact is availability loss rather than data exposure.

Technical summary

The supplied vulnerability data attributes CVE-2026-8223 to the Open5GS function pcf_sess_sbi_discover_and_send in the sm-policies endpoint. According to the record, remote manipulation can lead to denial of service. The CVSS vector provided indicates network attackability with low complexity and no privileges or user interaction required, and availability impact limited to loss of availability. The weakness classification supplied with the record is CWE-404.

Defensive priority

Medium. Prioritize if you operate exposed Open5GS instances or depend on the SM policies service for availability-sensitive workloads.

Recommended defensive actions

• Inventory Open5GS deployments and confirm whether any instance is at or below version 2.7.7.
• Check whether the sm-policies endpoint is reachable from untrusted networks and restrict access where possible.
• Monitor for service instability or crashes affecting Open5GS control-plane components.
• Track upstream Open5GS advisories, issue #4438, and related release notes for a fix or workaround.
• Apply vendor guidance or upgrade to a version confirmed by upstream to address the issue once available.

Evidence notes

This debrief is based only on the supplied CVE record and listed references. The record identifies Open5GS as the affected project, names the vulnerable function pcf_sess_sbi_discover_and_send, states that the issue can be triggered remotely, and says a public exploit exists. The supplied references include the Open5GS repository and issue #4438, plus VulDB submission and vulnerability pages. No additional verification was performed beyond the provided corpus.

Official resources