Executive Summary

CVE-2025-70122 is a critical heap buffer overflow vulnerability in the User Plane Function (UPF) component of free5GC version 4.0.1. It occurs when the UPF processes a crafted PFCP Session Modification Request containing malformed Service Data Flow (SDF) Filter Information Elements (IEs) with invalid length fields.

Specifically, the vulnerability arises in the SDFFilterFields.UnmarshalBinary function, which fails to verify that the declared length of the SDF Filter IE does not exceed the actual buffer size. This leads to out-of-bounds memory access and a heap buffer overflow, causing a runtime panic and crash of the UPF.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows remote attackers to cause a denial of service (DoS) by sending a malicious PFCP Session Modification Request to the UPF. The UPF crashes due to the heap buffer overflow, terminating all active PFCP sessions and disrupting service for all connected User Equipments (UEs).

The crash also affects the Session Management Function (SMF), which experiences PFCP heartbeat errors and must release UPF resources, potentially causing broader network instability and service outages.

Recovery from this DoS condition requires manual intervention to restart the UPF and restore normal operations.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or runtime panics in the UPF component of free5GC, especially those related to slice bounds out of range errors during SDF Filter unmarshalling.

Detection involves observing the UPF logs for panic messages indicating heap buffer overflow or malformed PFCP Session Modification Requests.

To reproduce or detect the issue, one can attempt to send a crafted PFCP Session Modification Request containing a corrupted SDF Filter IE with invalid length fields to the UPF.

• Establish a PFCP association with the UPF.
• Create a PFCP session.
• Send a malicious PFCP Session Modification Request with corrupted SDF Filter IE length fields.

While specific commands are not provided, network administrators can use PFCP testing tools or scripts to send malformed PFCP messages to the UPF IP (e.g., 127.0.0.8) and monitor for crashes or error logs.

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include preventing the UPF from processing malformed PFCP Session Modification Requests that contain corrupted SDF Filter IE length fields.'}, {'type': 'paragraph', 'content': "Administrators should monitor and restrict access to the UPF's PFCP interface (e.g., IP 127.0.0.8) to trusted sources only, reducing the risk of remote exploitation."}, {'type': 'paragraph', 'content': 'If possible, apply patches or updates from the free5GC project that implement proper bounds checking and validation of SDF Filter IE length fields to prevent heap buffer overflow.'}, {'type': 'paragraph', 'content': 'Until a patch is available, consider implementing network-level filtering or intrusion detection rules to block malformed PFCP Session Modification Requests.'}, {'type': 'paragraph', 'content': 'In case of a UPF crash, manual recovery will be required to restart the UPF service and restore PFCP sessions.'}] [1]

Useful 0 Not Useful 0