Executive Summary

CVE-2026-1683 is a remote denial of service (DoS) vulnerability in free5GC SMF version 4.1.0. It occurs in the function HandlePfcpSessionReportRequest when the software processes a PFCP SessionReportRequest message that omits the mandatory ReportType Information Element (IE). Specifically, the code accesses req.ReportType.Dldr without checking if req.ReportType is nil. When a SessionReportRequest is sent without the ReportType IE and the session's uplink connection state is DEACTIVATED, this causes a nil pointer dereference panic that crashes the SMF process. The PFCP dispatcher runs handlers in separate goroutines without panic recovery, so the panic terminates the entire SMF process, resulting in denial of service. The vulnerability can be exploited remotely without authentication or user interaction by sending malformed PFCP messages during normal PDU session procedures. [1, 3, 4]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the free5GC SMF process to crash remotely, resulting in a denial of service (DoS). This means that the affected network function will become unavailable, disrupting session management and potentially causing service outages in 5G networks relying on free5GC SMF. Since the crash occurs without requiring authentication or user interaction, an attacker can exploit this vulnerability remotely to disrupt network availability, impacting service continuity and reliability. [1, 2, 3, 4]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending crafted PFCP SessionReportRequest messages that omit the mandatory ReportType Information Element (IE) to the free5GC SMF component and observing if the SMF process crashes or panics. A proof-of-concept (PoC) exploit is available that operates in two modes: a client mode that sends malicious PFCP messages to the SMF on the PFCP UDP port (default 8805), and a fake UPF mode that simulates a User Plane Function to interact with the SMF and send malformed SessionReportRequest messages. Using the PoC, you can test if your SMF instance is vulnerable by running the client mode to send these malformed requests and monitor for crashes. The PoC is implemented in Go and includes detailed logging to verify the vulnerability. Specific commands would involve running the PoC tool to send these crafted PFCP messages targeting sessions with UpCnxState=DEACTIVATED. Since the vulnerability triggers a nil pointer dereference panic upon receiving such malformed messages, monitoring SMF logs and process stability after sending these requests can confirm detection. [1, 3, 4]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to apply the official patch released for free5GC SMF that fixes the nil pointer dereference in the HandlePfcpSessionReportRequest function by properly checking for the presence of the ReportType IE before accessing it. Users of free5GC SMF versions up to 4.1.0 should promptly update to the patched version to prevent remote denial of service attacks. Additionally, monitoring and restricting incoming PFCP traffic to trusted sources and implementing network-level protections to detect and block malformed PFCP SessionReportRequest messages can help reduce exposure until the patch is applied. [2, 4]

Useful 0 Not Useful 0