Executive Summary

CVE-2025-65566 is a denial-of-service vulnerability in the omec-project UPF (User Plane Function) version upf-epc-pfcpiface:2.1.3-dev. It occurs when the UPF receives a PFCP Session Report Response message that is missing the mandatory Cause Information Element (IE). The UPF's session report handler dereferences a nil pointer because it does not properly check for the presence of this mandatory IE, causing a runtime panic and crashing the UPF process. This crash disrupts the UPF's operation and user-plane services. An attacker can exploit this by sending crafted PFCP messages lacking the Cause IE to the UPF's PFCP endpoint, repeatedly causing the crash. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the UPF process to crash repeatedly, resulting in a denial-of-service condition. Since the UPF is responsible for handling user-plane traffic in a network, its crash disrupts user-plane services, potentially causing network outages or degraded service for users relying on the affected UPF instance. An attacker with the ability to send PFCP Session Report Response messages to the UPF can exploit this to disrupt network operations. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or panics in the UPF process, specifically looking for panic stack traces related to nil pointer dereferences in the handleSessionReportResponse function (messages_session.go:546). Additionally, detection can involve capturing and analyzing PFCP Session Report Response messages on the UPF's N4/PFCP endpoint (default UDP port 8805) to identify malformed messages missing the mandatory Cause Information Element. Using packet capture tools like tcpdump or tshark, you can filter PFCP traffic on port 8805 and inspect for Session Report Response messages lacking the Cause IE. Example command to capture PFCP traffic: `tcpdump -i <interface> udp port 8805 -w pfcp_traffic.pcap`. Then, analyze the capture with Wireshark or tshark to check for missing Cause IE in Session Report Response messages. Also, monitoring UPF logs for panic or crash messages referencing nil pointer dereference can help detect exploitation attempts. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the UPF's PFCP endpoint (UDP port 8805) to trusted sources only, such as internal network segments or authorized management hosts, to prevent attackers from sending crafted malformed PFCP messages. Additionally, monitor the UPF process for crashes and implement automated restarts to reduce service disruption. Applying any available patches or updates from the omec-project that address this vulnerability is recommended once released. In the meantime, consider deploying network-level filtering or intrusion prevention rules to block PFCP Session Report Response messages missing the Cause IE or malformed PFCP messages if possible. [1]

Useful 0 Not Useful 0