Executive Summary

CVE-2026-25501 is a high-severity vulnerability in the free5GC Session Management Function (SMF) component, which is part of an open-source 5G mobile core network project. The vulnerability occurs when the SMF receives a malformed PFCP SessionReportRequest message on its PFCP interface (UDP port 8805). Specifically, if the ReportType field has the Downlink Data Report (DLDR) flag set but the corresponding DownlinkDataReport Information Element (IE) is missing, the SMF attempts to access a nil pointer without checking if it is nil. This causes the SMF process to panic and terminate unexpectedly.

The root cause is a missing nil-check before dereferencing the DownlinkDataReport field in the PFCP message handler, leading to a nil pointer dereference (CWE-476). Because the handler runs inside a goroutine without panic recovery, the entire SMF process crashes, resulting in a remote Denial of Service (DoS).

No official patch is available yet, but mitigations include adding nil-checks, implementing panic recovery around the PFCP handler, restricting access to the PFCP interface to trusted IPs, and filtering malformed PFCP messages at the network edge.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the free5GC SMF process to crash remotely when it receives a specially crafted malformed PFCP SessionReportRequest message. The crash results from a nil pointer dereference, which leads to a panic and termination of the SMF process.

The impact is a remote Denial of Service (DoS) condition, where an attacker can disrupt the availability of the SMF component in the 5G core network by sending malicious PFCP messages. This can affect the stability and reliability of the 5G network services that depend on the SMF.

Since the SMF is critical for session management in 5G networks, its unavailability can lead to service interruptions, degraded network performance, and potential loss of connectivity for users.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the SMF process for crashes or panics triggered by malformed PFCP SessionReportRequest messages on UDP port 8805. Specifically, look for SessionReportRequest messages where the ReportType.DLDR flag is set but the DownlinkDataReport Information Element (IE) is missing.'}, {'type': 'paragraph', 'content': 'A practical detection approach involves capturing and inspecting PFCP traffic on UDP port 8805 to identify malformed SessionReportRequest messages with the DLDR flag set but missing the DownlinkDataReport IE.'}, {'type': 'paragraph', 'content': 'Suggested commands include using packet capture tools such as tcpdump or tshark to filter and analyze PFCP messages:'}, {'type': 'list_item', 'content': 'tcpdump -i <interface> udp port 8805 -w pfcp_capture.pcap'}, {'type': 'list_item', 'content': "tshark -r pfcp_capture.pcap -Y 'pfcp.SessionReportRequest && pfcp.ReportType.DLDR == 1 && !pfcp.DownlinkDataReport'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring SMF logs for panic or crash messages related to nil pointer dereferences can help detect exploitation attempts.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the SMF PFCP interface (UDP port 8805) so that only trusted UPF IP addresses can communicate with it. This reduces the risk of spoofed or malicious PFCP messages reaching the SMF.

Implement network-level filtering or inspection at the edge to drop or block malformed PFCP SessionReportRequest messages, especially those with the DLDR flag set but missing the DownlinkDataReport IE.

On the software side, adding a nil-check for the DownlinkDataReport IE in the PFCP handler code and wrapping the PFCP handler dispatch in a recover() function can prevent the entire SMF process from crashing due to this vulnerability. These are considered mitigations until an official patch is released.

Useful 0 Not Useful 0