diff --git a/advisories/unreviewed/2026/05/GHSA-rr89-wx3j-43cc/GHSA-rr89-wx3j-43cc.json b/advisories/unreviewed/2026/05/GHSA-rr89-wx3j-43cc/GHSA-rr89-wx3j-43cc.json
index 0f67550eee04d..e54ebb8018823 100644
--- a/advisories/unreviewed/2026/05/GHSA-rr89-wx3j-43cc/GHSA-rr89-wx3j-43cc.json
+++ b/advisories/unreviewed/2026/05/GHSA-rr89-wx3j-43cc/GHSA-rr89-wx3j-43cc.json
@@ -1,23 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rr89-wx3j-43cc",
-  "modified": "2026-05-09T12:30:20Z",
+  "modified": "2026-05-09T12:30:30Z",
   "published": "2026-05-09T12:30:20Z",
   "aliases": [
     "CVE-2026-8187"
   ],
-  "details": "A flaw has been found in Open5GS up to 2.7.7. This impacts the function _gtpv1_u_recv_cb of the file src/upf/gtp-path.c of the component UPF. Executing a manipulation can lead to resource consumption. The attack may be performed from remote. The project was informed of the problem early through an issue report but has not responded yet.",
+  "summary": "Open5GS UPF _gtpv1_u_recv_cb uncontrolled resource consumption via unauthenticated GTPv1-U flood",
+  "details": "## Summary\n\nA remotely exploitable uncontrolled resource consumption vulnerability exists in the User Plane Function (UPF) of Open5GS as in an unauthenticated attacker can exhaust CPU and memory on the UPF by flooding it with crafted GTPv1-U packets over UDP port 2152, causing denial of service for all active user sessions. \n\n## Details\n\nThe vulnerability is in `_gtpv1_u_recv_cb()` in `src/upf/gtp-path.c`, which is the libevent I/O callback invoked for every incoming GTPv1-U datagram on the UPF's N3/N9 interface. The function performs no source IP validation and enforces no per-peer rate limit before done checking:\n- Allocating a packet buffer (`ogs_pkbuf_alloc`) for every datagram\n- Processing and responding to **Echo Requests** from any arbitrary source\n- Performing a TEID hash lookup and sending an **Error Indication** reply for every unrecognized TEID\n> By this reasons, because GTPv1-U runs over UDP  *a connectionless, unauthenticated protocol* any host that can reach port 2152 can trigger this processing loop at wire speed.\n\n!!!!!! Source addresses can also be spoofed.\n\n## Vulnerable code path (`src/upf/gtp-path.c`)\n\n```c\n// Packet received >> no source check, no rate limit\n   size = ogs_recvfrom(fd, recvbuf, sizeof(recvbuf), 0, &from); \n\n// pkbuf allocated unconditionally for every datagram\n   pkbuf = ogs_pkbuf_alloc(NULL, OGS_MAX_PKT_LEN);\n\n// Echo Requests answered unconditionally >> no throttle\n   if (gtp_h->type == OGS_GTPU_MSGTYPE_ECHO_REQ) {\n       echo_rsp = ogs_gtp2_handle_echo_req(pkbuf);\n       ogs_sendto(fd, echo_rsp->data, echo_rsp->len, 0, &from);\n       ogs_pkbuf_free(echo_rsp);\n       goto cleanup;\n   }\n\n// Unknown TEIDs trigger Error Indication replies >> no throttle\n   ogs_gtp1_send_error_indication(sock, teid, 0, &from);\n```\n\n\n\n\n Proposed fix: Two guards should be inserted immediately after `ogs_recvfrom()`, before any buffer allocation or GTP header parsing:\n\n\n1. Source IP allowlist >> reject packets from hosts that have no established PFCP/PDU session:\n>>`gtpu_peer_is_known()` checks `ogs_gtp_node_find_by_addr()` against the existing gnode list, which is already populated during PFCP Session Establishment.\n\n```c\nif (!gtpu_peer_is_known(&from)) {\n    /* Silent drop — no Error Indication reply to unknown peers */\n    return;\n}\n```\n\n2. Per-peer token-bucket rate limiter >> cap processing at 500 packets/second per source IP using `ogs_hash_t`:\n>>The rate limiter tracks a sliding 1-second window per source IP. Both checks run before `ogs_pkbuf_alloc()`, so no memory is allocated for dropped packets.\n\n```c\nif (!gtpu_rate_allow(&from)) {\n    ogs_warn(\"[RATELIMIT] GTP-U flood from [%s]\", peer_key);\n    return;\n}\n```\n\n\n\n## Until it is resolved:\n\n1. Restrict inbound UDP/2152 to known gNB CIDR ranges at the network perimeter.\n2. Apply kernel-level rate limiting",
   "severity": [
-    {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
-    },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "GitHub Actions",
+        "name": "open5gs"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.7.0"
+            },
+            {
+              "last_affected": "2.7.7"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -31,6 +48,10 @@
       "type": "WEB",
       "url": "https://github.com/open5gs/open5gs"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/open5gs/open5gs/blob/main/src/upf/gtp-path.c"
+    },
     {
       "type": "WEB",
       "url": "https://vuldb.com/submit/800025"
@@ -48,7 +69,7 @@
     "cwe_ids": [
       "CWE-400"
     ],
-    "severity": "MODERATE",
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-05-09T11:16:28Z"