Executive Summary

CVE-2026-1739 is a vulnerability in the Free5GC Policy Control Function (PCF) component, specifically in the function HandleCreateSmPolicyRequest. The issue occurs because the code assigns a value from a response object before checking if the response is valid (non-nil). When the PCF receives a CreateSmPolicy request that triggers a downstream OpenAPI call returning a 404 Not Found error, the PCF continues processing without properly handling the error. This leads to a null pointer dereference (accessing data from a nil object), causing the PCF process to panic and crash. This vulnerability can be exploited remotely without authentication, resulting in a denial of service (DoS) by crashing the PCF service. [1, 2, 3, 4, 6]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service (DoS) by crashing the Free5GC PCF process. When exploited, the PCF service handling policy control requests will terminate unexpectedly due to a runtime panic caused by a null pointer dereference. This disrupts the availability of the PCF, potentially impacting network services that rely on it for policy control, leading to service outages or degraded network functionality. [2, 4, 6]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or panics in the free5GC PCF service, especially after receiving HTTP CreateSmPolicy requests. A crafted POST request to the PCF endpoint `/npcf-smpolicycontrol/v1/sm-policies` with JSON data specifying subscriber and session details that triggers a downstream 404 Not Found error can reproduce the issue. Detection involves checking logs for panic stack traces related to `HandleCreateSmPolicyRequest` and observing if the PCF process crashes. A sample command to test the vulnerability could be a curl POST request with crafted JSON data to the PCF endpoint, for example: ```bash curl -X POST https://<pcf-ip>:<port>/npcf-smpolicycontrol/v1/sm-policies \ -H 'Content-Type: application/json' \ -d '{"subscriber": {"id": "imsi-123456789012345"}, "session": {"id": "session1"}}' ``` If this request causes the PCF to crash or log a panic related to nil pointer dereference, the vulnerability is present. [2, 6]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to apply the patch identified by commit `df535f5524314620715e842baf9723efbeb481a7` on the free5GC PCF GitHub repository. This patch fixes the issue by properly checking for errors and ensuring that `smData` is assigned only after confirming the response is not nil, preventing the null pointer dereference and subsequent crash. Until the patch is applied, monitoring and restricting access to the PCF endpoint to trusted sources may reduce the risk of exploitation. [1, 3, 4]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability CVE-2026-1739 causes a denial of service (DoS) by crashing the Free5GC PCF component due to a null pointer dereference. It impacts system availability but does not affect confidentiality or integrity of data.

Since the vulnerability does not compromise confidentiality or integrity, it does not directly lead to data breaches or unauthorized data access that would violate standards like GDPR or HIPAA.

However, the availability impact caused by the DoS could affect compliance with regulations that require continuous availability or service reliability, depending on the criticality of the affected system in the regulated environment.

Overall, the vulnerability primarily risks service disruption rather than data privacy or protection compliance.

Useful 0 Not Useful 0