CVE-2026-8225 Vuldb CVE debrief

Who should care

Operators and maintainers of Open5GS deployments, especially telecom core network teams running the PCF component or exposing related control-plane services to untrusted networks. Security teams responsible for availability monitoring and patch intake should treat this as relevant because the issue is remotely reachable and impacts service uptime.

Technical summary

The supplied record says the vulnerable function is pcf_npcf_smpolicycontrol_handle_delete in src/pcf/sm-sm.c, tied to the delete endpoint in Open5GS. The weakness is categorized as CWE-404 and the impact is denial of service. The CVSS vector in the source indicates AV:N/AC:L/PR:N/UI:N with availability-only impact, which supports treating it as a network-reachable service disruption issue rather than a data-exposure flaw. The source also states Open5GS versions up to 2.7.7 are affected.

Defensive priority

Medium. The CVSS score is 5.5 and the issue is limited to availability, but it is remotely reachable, requires no privileges or user interaction per the supplied vector, and the record notes possible public exploit availability. That combination makes it a practical uptime risk for exposed Open5GS deployments.

Recommended defensive actions

• Identify whether Open5GS is deployed and confirm the installed version; treat versions up to 2.7.7 as affected per the supplied record.
• Prioritize patching or upgrading as soon as a vendor fix or upstream resolution is available.
• Review exposure of the PCF/control-plane path and reduce unnecessary network reachability through segmentation and filtering.
• Monitor service health and restart behavior so a denial-of-service event is detected quickly.
• Track the upstream Open5GS repository and issue 4440 for remediation status and any official guidance.
• If you cannot patch immediately, place compensating controls around the affected service and limit who can reach it.

Evidence notes

All material facts used here come from the supplied CVE record and its referenced official sources. The record states: Open5GS up to 2.7.7 is affected; the vulnerable function is pcf_npcf_smpolicycontrol_handle_delete in src/pcf/sm-sm.c; the impact is denial of service; the attack can be initiated remotely; and a public exploit may be available. The source metadata lists CWE-404 and the CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L, which supports the availability-only, network-reachable characterization. The reference set includes the Open5GS repository and issue 4440, but no patch or vendor response is included in the supplied corpus.

Official resources