Executive Summary

CVE-2026-1974 is a vulnerability in Free5GC up to version 4.1.0, specifically in the Session Management Function (SMF) component. It arises from improper handling of mandatory Information Elements (IEs) in PFCP (Packet Forwarding Control Protocol) messages, particularly the missing NodeID IE in PFCP Session Establishment Responses.

When the SMF receives a PFCP Session Establishment Response from a rogue or malicious User Plane Function (UPF) that omits the mandatory NodeID IE, the SMF code attempts to call the method ResolveNodeIdToIp() on a nil NodeID pointer. This causes a runtime panic due to a nil pointer dereference, crashing the SMF process.

This vulnerability allows remote attackers to cause a denial of service (DoS) by crashing the SMF without requiring authentication. The issue is due to missing validation checks for mandatory IEs before usage, and a public proof-of-concept exploit exists demonstrating this attack.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a remote Denial of Service (DoS) condition in the Free5GC SMF component. An attacker controlling a rogue UPF can send malformed PFCP messages that cause the SMF process to crash.

The impact includes disruption of 5G core network operations, as the SMF is a critical function responsible for session management. The crash can cause service unavailability and degrade network reliability.

Since the attack requires no authentication and can be executed remotely, it is straightforward and easy to exploit, increasing the risk of service interruptions.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the SMF (Session Management Function) logs for runtime panics or crashes caused by nil pointer dereferences, specifically at the method ResolveNodeIdToIp in datapath.go around line 145.

Detection can also involve observing unexpected SMF process crashes or denial of service conditions triggered by malformed PFCP Session Establishment Responses missing the mandatory NodeID Information Element (IE).

A practical approach is to run a rogue UPF test server that sends malformed PFCP SessionEstablishmentResponse messages omitting the NodeID IE to see if the SMF crashes, as demonstrated by the publicly available proof-of-concept.

• Check SMF logs for errors or panics related to nil pointer dereference at datapath.go:145.
• Use network packet capture tools (e.g., tcpdump) to monitor PFCP messages on UDP port 8805 for malformed SessionEstablishmentResponse messages missing NodeID IE.
• Run the rogue UPF PoC server with the command: `go run ./main.go -listen <IP_ADDRESS>` to simulate the attack and observe if the SMF crashes.
• Attach a UE and establish a PDU session using UERANSIM tools to trigger PFCP Session Establishment Requests and responses.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to apply the official patch provided for free5gc SMF that adds proper validation and nil checks for mandatory Information Elements (IEs) such as NodeID in PFCP Session Establishment Responses.

This patch prevents nil pointer dereferences by ensuring the SMF gracefully handles missing mandatory IEs, avoiding crashes and denial of service.

Until the patch is applied, monitor the SMF logs closely for crashes and consider restricting or monitoring rogue UPF devices that could send malformed PFCP messages.

• Apply the patch from the official free5gc SMF repository pull request addressing CVE-2026-1974.
• Implement network controls to limit or verify PFCP messages from UPF devices.
• Monitor SMF logs for errors related to missing mandatory IEs and crashes.
• Test the environment with the rogue UPF PoC to verify if the vulnerability is mitigated after patching.

Useful 0 Not Useful 0