CVE-2026-2525
Unknown Unknown - Not Provided
Remote DoS via PFCP UDP Endpoint in Free5GC

Publication date: 2026-02-16

Last updated on: 2026-02-19

Assigner: VulDB

Description
A vulnerability has been found in Free5GC up to 4.1.0. This affects an unknown function of the component PFCP UDP Endpoint. Such manipulation leads to denial of service. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2525
EUVD
EUVD-2026-6138
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
free5gc free5gc to 4.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2525 is a remote denial-of-service vulnerability in the free5GC User Plane Function (UPF) related to improper handling of malformed PFCP (Packet Forwarding Control Protocol) messages.'}, {'type': 'paragraph', 'content': 'Specifically, the vulnerability occurs when the UPF receives a PFCP Session Establishment Request containing a CreateFAR (Forwarding Action Rule) Information Element (IE) with an OuterHeaderCreation IE that is malformed or too short.'}, {'type': 'paragraph', 'content': "During processing, the UPF attempts to parse this malformed OuterHeaderCreation IE using a method that expects at least 4 bytes, but the malformed IE provides fewer bytes, causing a runtime panic due to an 'index out of range' error."}, {'type': 'paragraph', 'content': 'This panic is not handled within the UPF PFCP server, leading to the entire UPF process crashing and resulting in a denial of service.'}, {'type': 'paragraph', 'content': 'The attack can be launched remotely without authentication by sending a crafted PFCP message, making the UPF unavailable until it is restarted.'}] [1, 3]

Impact Analysis

This vulnerability can cause a denial of service (DoS) condition in the free5GC User Plane Function (UPF), which is a critical component in 5G network infrastructure.

An attacker can remotely crash the UPF by sending a single malformed PFCP message, causing the UPF process to terminate unexpectedly.

The impact is a loss of availability of the UPF, potentially disrupting network services that rely on it.

Since the vulnerability does not affect confidentiality or integrity, the main concern is service disruption and downtime.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the Free5GC User Plane Function (UPF) for crashes or denial of service events triggered by malformed PFCP Session Establishment Requests.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves identifying PFCP messages containing a CreateFAR Information Element (IE) with an OuterHeaderCreation IE that is malformed or too short (less than 4 bytes). Such malformed messages cause the UPF process to panic and crash.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and analyze PFCP traffic on the network, looking for Session Establishment Requests with suspicious or malformed OuterHeaderCreation fields.'}, {'type': 'paragraph', 'content': "Additionally, logs from the UPF process should be monitored for panic stack traces originating from the go-pfcp library's OuterHeaderCreationFields.UnmarshalBinary method, which indicate exploitation attempts."}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, a suggested approach includes using packet capture tools like tcpdump or Wireshark to filter PFCP traffic (UDP port 8805) and inspect the payload for malformed OuterHeaderCreation IEs.'}, {'type': 'list_item', 'content': 'Use tcpdump to capture PFCP traffic: tcpdump -i <interface> udp port 8805 -w pfcp_capture.pcap'}, {'type': 'list_item', 'content': 'Analyze captured traffic with Wireshark to identify malformed PFCP Session Establishment Requests.'}, {'type': 'list_item', 'content': 'Monitor UPF logs for runtime panics or crashes referencing OuterHeaderCreationFields.UnmarshalBinary or similar stack traces.'}] [1, 3]

Mitigation Strategies

Immediate mitigation steps include preventing the UPF from processing malformed PFCP messages that trigger the crash.

Since no official patches or countermeasures are identified, consider the following actions:

  • Restrict network access to the PFCP UDP endpoint (default port 8805) to trusted sources only, minimizing exposure to remote attackers.
  • Implement network-level filtering or intrusion detection rules to block or alert on malformed PFCP Session Establishment Requests containing suspicious OuterHeaderCreation IEs.
  • Monitor UPF logs closely for crashes or panic events and restart the service promptly if it crashes.
  • Consider replacing or upgrading the affected Free5GC UPF component once a fixed version is available.

Overall, limiting exposure and monitoring for exploitation attempts are key until an official patch or update is released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2525. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart