CVE-2026-1684
Unknown Unknown - Not Provided
Denial of Service in Free5GC SMF PFCP UDP Endpoint

Publication date: 2026-01-30

Last updated on: 2026-02-23

Assigner: VulDB

Description
A vulnerability was found in Free5GC SMF up to 4.1.0. Affected by this issue is the function HandleReports of the file /internal/context/pfcp_reports.go of the component PFCP UDP Endpoint. The manipulation results in denial of service. The attack can be executed remotely. It is advisable to implement a patch to correct this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-30
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-01-30
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1684
EUVD
EUVD-2026-5028
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
free5gc free5gc to 4.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1684 is a remote denial of service (DoS) vulnerability in the free5GC Session Management Function (SMF) component, specifically in its PFCP UDP endpoint. The issue occurs when the SMF receives a PFCP Session Report Request message with the ReportType.USAR flag set to true and a UsageReport Information Element (IE) included, but the VolumeMeasurement sub-IE inside the UsageReport is missing. The SMF's report handling code dereferences the VolumeMeasurement field without checking if it is nil, causing a nil pointer dereference panic. Since the PFCP dispatcher runs handlers in goroutines without panic recovery, this panic crashes the entire SMF process, leading to a denial of service. The vulnerability can be exploited remotely without authentication by sending specially crafted PFCP messages over the network. [1, 3, 4]

Impact Analysis

This vulnerability can cause the free5GC SMF process to crash remotely, resulting in a denial of service. Since the SMF manages session control functions in a 5G core network, its crash disrupts session management and network stability. This can lead to unavailability of critical network services, affecting users and operators relying on the 5G infrastructure. The attack requires no privileges or user interaction and can be executed remotely, making it a significant risk to system availability. [1, 2, 4]

Detection Guidance

This vulnerability can be detected by monitoring for crashes or panics in the free5GC SMF process, especially triggered by malformed PFCP Session Report Requests. A practical detection method involves sending crafted PFCP Session Report Requests with the ReportType.USAR flag set to true and including a UsageReport IE but omitting the VolumeMeasurement sub-IE (or URRID sub-IE as per variant). The provided proof-of-concept (PoC) tool in Go demonstrates how to send such requests to trigger the crash. Using this PoC in client mode can help test if the SMF is vulnerable by observing if the SMF process crashes upon receiving these malformed requests. Additionally, monitoring logs for nil pointer dereference panics or process crashes in SMF can indicate exploitation attempts. Specific commands would involve running the PoC tool against the SMF target to send these crafted PFCP messages. [1, 3, 4]

Mitigation Strategies

The immediate mitigation step is to apply the official patch provided by the Free5GC project that corrects the nil pointer dereference issue in the HandleReports function. Promptly updating the SMF component to a patched version eliminates the vulnerability. Additionally, monitoring and restricting PFCP traffic to the SMF to trusted sources can reduce exposure. Since the vulnerability is remotely exploitable without authentication, patching is the most effective mitigation. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1684. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart