Executive Summary

CVE-2026-1975 is a remote vulnerability in Free5GC up to version 4.1.0, specifically in the function identityTriggerType within the file pfcp_reports.go. The issue arises when the Session Management Function (SMF) receives a malformed PFCP SessionReportRequest message that sets the ReportType.USAR flag to 1 and includes a UsageReport Information Element but omits the mandatory UsageReportTrigger sub-IE. This causes the SMF to dereference a null pointer because it attempts to access a field (usarTrigger.Volth) without checking if the UsageReportTrigger IE is present, leading to a crash of the SMF process.

The vulnerability can be exploited remotely by sending crafted PFCP messages from a User Plane Function (UPF) or a spoofed attacker. A proof-of-concept exploit is publicly available, demonstrating how to trigger the crash by sending these malformed messages.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service (DoS) by crashing the SMF process in the Free5GC 5G core network component. When exploited, it disrupts the availability of the SMF, potentially interrupting 5G core network operations and services that depend on it.

The attack requires no authentication and can be executed remotely, making it easier for attackers to cause service outages without affecting confidentiality or integrity of data.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending crafted PFCP SessionReportRequest messages to the target free5gc SMF PFCP endpoint and observing if the SMF process crashes or panics.

Specifically, the detection involves sending a PFCP SessionReportRequest with the ReportType.USAR flag set to 1, including a UsageReport Information Element (IE) with URR-ID and VolumeMeasurement IEs, but deliberately omitting the mandatory UsageReportTrigger sub-IE.

A proof-of-concept (PoC) tool implemented in Go is available that can operate in two modes: client mode to connect and send malicious SessionReportRequest messages to the SMF, and fake UPF mode to simulate a UPF sending the malformed messages.

The PoC tool supports scanning multiple Session Endpoint Identifiers (SEIDs) and waits for SessionReportResponse messages to detect the impact, which can be used as a detection method.

No specific command-line commands are provided in the resources, but using the PoC tool from the GitHub repository linked in Resource 1 is the recommended approach to detect the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to apply the patch released for free5gc that addresses this null pointer dereference vulnerability in the identityTriggerType function of pfcp_reports.go.

Applying the patch will prevent the SMF process from crashing when receiving malformed PFCP SessionReportRequest messages missing the UsageReportTrigger sub-IE.

Until the patch is applied, it is advisable to monitor and restrict PFCP SessionReportRequest messages from untrusted or suspicious UPF sources to reduce the risk of exploitation.

Additionally, network-level protections such as filtering or rate limiting PFCP messages could help mitigate potential denial-of-service attacks exploiting this vulnerability.

Useful 0 Not Useful 0