Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-1973 is a vulnerability in Free5GC versions up to 4.1.0, specifically in the Session Management Function (SMF) component's establishPfcpSession function. The issue is a null pointer dereference that occurs when the SMF processes a malformed PFCP SessionEstablishmentResponse message missing the mandatory Cause Information Element (IE). This causes the SMF process to crash, resulting in a denial of service."}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely without authentication by a rogue or malicious User Plane Function (UPF) that sends crafted PFCP messages omitting required fields. The SMF does not properly check for the presence of the Cause IE before dereferencing it, leading to the crash.'}, {'type': 'paragraph', 'content': 'A proof-of-concept exploit exists that demonstrates how a rogue UPF can trigger this crash by responding to PFCP SessionEstablishmentRequest messages with malformed responses.'}] [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service (DoS) on the Free5GC SMF component by crashing the process when it receives malformed PFCP messages. This impacts system availability, potentially disrupting network services that rely on Free5GC for session management.

Since the attack can be launched remotely without any authentication or user interaction, it is highly accessible to attackers controlling a rogue UPF. This could lead to service outages or degraded network performance.

The exploit is relatively easy to perform, and a proof-of-concept is publicly available, increasing the risk of exploitation.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the behavior of the free5gc SMF component, specifically looking for crashes or denial of service conditions triggered by malformed PFCP SessionEstablishmentResponse messages.

A practical detection method involves running a proof-of-concept (PoC) rogue UPF server that sends a crafted PFCP SessionEstablishmentResponse message missing the mandatory Cause Information Element (IE) to the SMF. If the SMF crashes or terminates unexpectedly, it indicates the presence of the vulnerability.

Suggested commands include running the PoC rogue UPF server implemented in Go with a command similar to: `go run ./main.go -listen x.x.x.x` where `x.x.x.x` is the IP address to listen on. This server listens on UDP port 8805 and interacts with the SMF to trigger the vulnerability.

Additionally, monitoring system logs for SMF crashes or core dumps related to the `establishPfcpSession` function can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation step is to apply the official patch provided by the free5gc project that fixes the nil pointer dereference issue in the establishPfcpSession function of the SMF component.

Since the vulnerability can be exploited remotely without authentication, patching is critical to prevent denial of service attacks.

Until the patch is applied, consider monitoring and restricting network traffic to the SMF, especially PFCP messages from untrusted or rogue UPF sources, to reduce the risk of exploitation.

It is also best practice to keep the free5gc SMF component updated to the latest secure version and review logs for any suspicious activity.

Useful 0 Not Useful 0