Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-1976 is a vulnerability in Free5GC up to version 4.1.0, specifically in the Session Management Function (SMF) component's handling of PFCP SessionDeletionResponse messages."}, {'type': 'paragraph', 'content': 'The issue arises because the SMF expects a mandatory Cause Information Element (IE) in the SessionDeletionResponse message. If this Cause IE is missing, the SMF code attempts to access a field within it without checking if the IE is present, causing a null pointer dereference.'}, {'type': 'paragraph', 'content': 'This null pointer dereference leads to a runtime panic and crashes the SMF process, resulting in a Denial of Service (DoS). The vulnerability can be exploited remotely by a malicious or rogue User Plane Function (UPF) that sends a malformed SessionDeletionResponse message missing the Cause IE.'}, {'type': 'paragraph', 'content': 'Proof-of-concept exploit code is publicly available, demonstrating how a rogue UPF can trigger this crash by responding improperly to a SessionDeletionRequest.'}] [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a remote Denial of Service (DoS) attack against the Free5GC SMF component.

An attacker controlling or impersonating a rogue User Plane Function (UPF) can send malformed PFCP SessionDeletionResponse messages that omit the mandatory Cause IE, causing the SMF to crash.

The impact is a loss of availability of the SMF, which is critical for managing 5G sessions, potentially disrupting network services.

No confidentiality or integrity impact is reported, but the availability impact is high due to the crash.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the behavior of the free5GC SMF process for crashes or runtime panics triggered by malformed PFCP SessionDeletionResponse messages missing the mandatory Cause Information Element (IE).

Detection involves observing logs for SMF crashes or segmentation faults at datapath.go line 478, indicating a nil pointer dereference due to missing Cause IE in SessionDeletionResponse.

A practical detection method includes running a rogue UPF that listens for PFCP SessionDeletionRequest messages and sends malformed SessionDeletionResponse messages without the Cause IE to test if the SMF crashes.

While specific commands are not provided, network packet capture tools like tcpdump or Wireshark can be used to capture and analyze PFCP messages between SMF and UPF to identify malformed SessionDeletionResponse messages.

For example, a command to capture PFCP traffic on UDP port 8805 (default PFCP port) could be: tcpdump -i <interface> udp port 8805 -w pfcp_capture.pcap

Analyzing the captured packets for SessionDeletionResponse messages missing the Cause IE can help detect attempts to exploit this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': "The immediate mitigation step is to apply the patch released for free5GC that addresses the null pointer dereference in the SMF's handling of PFCP SessionDeletionResponse messages."}, {'type': 'paragraph', 'content': 'Until the patch is applied, monitoring and restricting rogue UPF devices on the network can reduce the risk of exploitation.'}, {'type': 'paragraph', 'content': 'Additionally, implementing network-level protections such as filtering or validating PFCP messages to ensure they contain the mandatory Cause IE before reaching the SMF can help mitigate the risk.'}, {'type': 'paragraph', 'content': 'It is also recommended to monitor SMF logs for crashes or panics and restart the SMF process promptly if a crash occurs to maintain service availability.'}] [1, 3]

Useful 0 Not Useful 0