CVE-2026-1684
Denial of Service in Free5GC SMF PFCP UDP Endpoint
Publication date: 2026-01-30
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | free5gc | to 4.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1684 is a remote denial of service (DoS) vulnerability in the free5GC Session Management Function (SMF) component, specifically in its PFCP UDP endpoint. The issue occurs when the SMF receives a PFCP Session Report Request message with the ReportType.USAR flag set to true and a UsageReport Information Element (IE) included, but the VolumeMeasurement sub-IE inside the UsageReport is missing. The SMF's report handling code dereferences the VolumeMeasurement field without checking if it is nil, causing a nil pointer dereference panic. Since the PFCP dispatcher runs handlers in goroutines without panic recovery, this panic crashes the entire SMF process, leading to a denial of service. The vulnerability can be exploited remotely without authentication by sending specially crafted PFCP messages over the network. [1, 3, 4]
How can this vulnerability impact me? :
This vulnerability can cause the free5GC SMF process to crash remotely, resulting in a denial of service. Since the SMF manages session control functions in a 5G core network, its crash disrupts session management and network stability. This can lead to unavailability of critical network services, affecting users and operators relying on the 5G infrastructure. The attack requires no privileges or user interaction and can be executed remotely, making it a significant risk to system availability. [1, 2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or panics in the free5GC SMF process, especially triggered by malformed PFCP Session Report Requests. A practical detection method involves sending crafted PFCP Session Report Requests with the ReportType.USAR flag set to true and including a UsageReport IE but omitting the VolumeMeasurement sub-IE (or URRID sub-IE as per variant). The provided proof-of-concept (PoC) tool in Go demonstrates how to send such requests to trigger the crash. Using this PoC in client mode can help test if the SMF is vulnerable by observing if the SMF process crashes upon receiving these malformed requests. Additionally, monitoring logs for nil pointer dereference panics or process crashes in SMF can indicate exploitation attempts. Specific commands would involve running the PoC tool against the SMF target to send these crafted PFCP messages. [1, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the official patch provided by the Free5GC project that corrects the nil pointer dereference issue in the HandleReports function. Promptly updating the SMF component to a patched version eliminates the vulnerability. Additionally, monitoring and restricting PFCP traffic to the SMF to trusted sources can reduce exposure. Since the vulnerability is remotely exploitable without authentication, patching is the most effective mitigation. [2]