CVE-2026-26024
Denial of Service in free5GC SMF via Malformed PFCP Packet
Publication date: 2026-02-24
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | smf | to 1.4.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in free5GC SMF (Session Management Function), an open-source component for 5G mobile core networks. In versions up to and including 1.4.1, the SMF process panics and terminates when it receives a malformed PFCP SessionReportRequest on the PFCP interface (UDP port 8805). This means that sending a specially crafted malformed message can cause the SMF to crash.
There is no known upstream fix available yet, but some mitigations include restricting access to the PFCP interface to trusted UPF IPs via ACLs or firewalls, dropping or inspecting malformed PFCP messages at the network edge, and adding recovery code around the PFCP handler to prevent the entire process from terminating.
How can this vulnerability impact me? :
This vulnerability can cause the free5GC SMF process to crash when it processes malformed PFCP SessionReportRequest messages. Such crashes can lead to denial of service (DoS) conditions in the 5G core network, disrupting session management functions and potentially impacting network availability and reliability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when the free5GC SMF processes a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface, causing the SMF to panic and terminate.
To detect this vulnerability on your network or system, monitor the SMF logs for panic or termination events related to PFCP SessionReportRequest processing.
Additionally, you can capture and inspect PFCP traffic on UDP port 8805 to identify malformed SessionReportRequest messages.
- Use tcpdump or similar tools to capture PFCP packets: tcpdump -i <interface> udp port 8805
- Analyze captured packets for malformed PFCP SessionReportRequest messages using protocol analyzers or custom scripts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the PFCP interface so that only trusted UPF IP addresses can reach the SMF.
Implement ACLs or firewall rules to limit incoming traffic on UDP port 8805 to trusted sources, reducing the risk of spoofing or abuse.
Where feasible, drop or inspect malformed PFCP SessionReportRequest messages at the network edge before they reach the SMF.
As a mitigation within the SMF, add recover() around the PFCP handler dispatch to prevent the entire process from terminating upon receiving malformed messages.