CVE-2025-65564
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-18

Last updated on: 2025-12-19

Assigner: MITRE

Description
A denial-of-service vulnerability exists in the omec-upf (upf-epc-pfcpiface) in version upf-epc-pfcpiface:2.1.3-dev. When the UPF receives a PFCP Association Setup Request that is missing the mandatory Recovery Time Stamp Information Element, the association setup handler dereferences a nil pointer via IE.RecoveryTimeStamp() instead of validating the message. This results in a panic and terminates the UPF process. An attacker who can send PFCP Association Setup Request messages to the UPF's N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF and disrupt user-plane services.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65564
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wmnsk go-pfcp v0.0.24
omec-project upf 2.1.3-dev
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the omec-project's User Plane Function (UPF) component, specifically in version upf-epc-pfcpiface:2.1.3-dev. When the UPF receives a PFCP Association Setup Request message that is missing the mandatory Recovery Time Stamp Information Element (IE), the code attempts to access this missing IE without checking if it is present. This causes a nil pointer dereference, leading to a runtime panic and crashing the UPF process. An attacker can exploit this by sending malformed PFCP Association Setup Request messages to the UPF's N4/PFCP endpoint repeatedly, causing denial-of-service by crashing the UPF and disrupting user-plane services. [1]

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition by crashing the UPF process whenever it receives a malformed PFCP Association Setup Request missing the mandatory Recovery Time Stamp IE. This crash disrupts the UPF's operation, potentially interrupting 5G user-plane services that rely on the UPF for packet forwarding. An attacker capable of sending such malformed messages can repeatedly crash the UPF, causing service outages and impacting network availability. [1]

Detection Guidance

This vulnerability can be detected by monitoring the UPF logs for crash events such as segmentation violations (SIGSEGV) or runtime panics related to nil pointer dereferences when handling PFCP Association Setup Request messages. Additionally, sending crafted PFCP Association Setup Request messages missing the Recovery Time Stamp IE to the UPF's UDP port 8805 can test for the vulnerability. A proof-of-concept Go program exists that crafts such malformed PFCP messages using the github.com/wmnsk/go-pfcp library. Using this PoC or similar tools to send malformed PFCP messages and observing if the UPF process crashes can confirm the presence of the vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include updating the UPF component to a version that includes the fix from Pull Request #964 or later, which adds validation checks for the presence of the Recovery Time Stamp IE in PFCP Association Setup Requests. This fix prevents nil pointer dereferences by validating the message before accessing the Recovery Time Stamp field and handles missing IEs gracefully by returning appropriate PFCP error responses. Until the update can be applied, monitoring and filtering malformed PFCP Association Setup Request messages at the network level to prevent such malformed packets from reaching the UPF may reduce the risk of exploitation. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65564. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart