CVE-2026-2525
Remote DoS via PFCP UDP Endpoint in Free5GC
Publication date: 2026-02-16
Last updated on: 2026-02-19
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | free5gc | to 4.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2525 is a remote denial-of-service vulnerability in the free5GC User Plane Function (UPF) related to improper handling of malformed PFCP (Packet Forwarding Control Protocol) messages.'}, {'type': 'paragraph', 'content': 'Specifically, the vulnerability occurs when the UPF receives a PFCP Session Establishment Request containing a CreateFAR (Forwarding Action Rule) Information Element (IE) with an OuterHeaderCreation IE that is malformed or too short.'}, {'type': 'paragraph', 'content': "During processing, the UPF attempts to parse this malformed OuterHeaderCreation IE using a method that expects at least 4 bytes, but the malformed IE provides fewer bytes, causing a runtime panic due to an 'index out of range' error."}, {'type': 'paragraph', 'content': 'This panic is not handled within the UPF PFCP server, leading to the entire UPF process crashing and resulting in a denial of service.'}, {'type': 'paragraph', 'content': 'The attack can be launched remotely without authentication by sending a crafted PFCP message, making the UPF unavailable until it is restarted.'}] [1, 3]
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) condition in the free5GC User Plane Function (UPF), which is a critical component in 5G network infrastructure.
An attacker can remotely crash the UPF by sending a single malformed PFCP message, causing the UPF process to terminate unexpectedly.
The impact is a loss of availability of the UPF, potentially disrupting network services that rely on it.
Since the vulnerability does not affect confidentiality or integrity, the main concern is service disruption and downtime.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the Free5GC User Plane Function (UPF) for crashes or denial of service events triggered by malformed PFCP Session Establishment Requests.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves identifying PFCP messages containing a CreateFAR Information Element (IE) with an OuterHeaderCreation IE that is malformed or too short (less than 4 bytes). Such malformed messages cause the UPF process to panic and crash.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and analyze PFCP traffic on the network, looking for Session Establishment Requests with suspicious or malformed OuterHeaderCreation fields.'}, {'type': 'paragraph', 'content': "Additionally, logs from the UPF process should be monitored for panic stack traces originating from the go-pfcp library's OuterHeaderCreationFields.UnmarshalBinary method, which indicate exploitation attempts."}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, a suggested approach includes using packet capture tools like tcpdump or Wireshark to filter PFCP traffic (UDP port 8805) and inspect the payload for malformed OuterHeaderCreation IEs.'}, {'type': 'list_item', 'content': 'Use tcpdump to capture PFCP traffic: tcpdump -i <interface> udp port 8805 -w pfcp_capture.pcap'}, {'type': 'list_item', 'content': 'Analyze captured traffic with Wireshark to identify malformed PFCP Session Establishment Requests.'}, {'type': 'list_item', 'content': 'Monitor UPF logs for runtime panics or crashes referencing OuterHeaderCreationFields.UnmarshalBinary or similar stack traces.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing the UPF from processing malformed PFCP messages that trigger the crash.
Since no official patches or countermeasures are identified, consider the following actions:
- Restrict network access to the PFCP UDP endpoint (default port 8805) to trusted sources only, minimizing exposure to remote attackers.
- Implement network-level filtering or intrusion detection rules to block or alert on malformed PFCP Session Establishment Requests containing suspicious OuterHeaderCreation IEs.
- Monitor UPF logs closely for crashes or panic events and restart the service promptly if it crashes.
- Consider replacing or upgrading the affected Free5GC UPF component once a fixed version is available.
Overall, limiting exposure and monitoring for exploitation attempts are key until an official patch or update is released.