CVE-2026-26025
Denial of Service in free5GC SMF via Malformed PFCP Packet
Publication date: 2026-02-24
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | smf | to 1.4.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26025 is a remote denial-of-service vulnerability in the free5gc SMF (Session Management Function) component, which is part of an open-source 5G mobile core network project. The vulnerability occurs when the SMF processes a malformed PFCP (Packet Forwarding Control Protocol) SessionReportRequest message that has the ReportType.USAR flag set to 1 (indicating a Usage Report) but omits the mandatory URRID (Usage Report Reference ID) sub-information element.
Due to missing validation, the SMF dereferences a nil pointer when accessing the URRID field, causing the SMF process to panic and terminate unexpectedly. This crash results in a denial of service. The vulnerability can be triggered remotely by a User Plane Function (UPF) or an attacker spoofing a UPF sending a crafted malformed PFCP SessionReportRequest.
How can this vulnerability impact me? :
This vulnerability can cause the free5gc SMF process to crash and terminate unexpectedly when it receives a specially crafted malformed PFCP SessionReportRequest message. This leads to a denial of service (DoS) condition, disrupting the session management functionality of the 5G core network.
An attacker who can send or spoof PFCP messages to the SMF can exploit this vulnerability remotely, potentially causing network outages or degraded service availability by crashing the SMF component.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the PFCP (UDP port 8805) interface for malformed SessionReportRequest messages, specifically those with the ReportType.USAR flag set to 1 and missing the mandatory URRID sub-IE.
One practical approach is to capture and analyze PFCP traffic to identify malformed SessionReportRequest messages that could trigger the SMF crash.
- Use packet capture tools like tcpdump to monitor PFCP traffic on UDP port 8805: tcpdump -i <interface> udp port 8805 -w pfcp_capture.pcap
- Analyze captured packets with Wireshark or similar tools to inspect SessionReportRequest messages for missing URRID sub-IE when ReportType.USAR=1.
- Monitor SMF logs for panic or crash messages related to nil pointer dereference or unexpected termination.
Additionally, a Go-based Proof-of-Concept tool exists that can simulate sending malformed PFCP SessionReportRequest messages to test if the SMF is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the PFCP interface to reduce the attack surface and prevent unauthorized or spoofed PFCP messages.
- Apply ACLs or firewall rules to allow only trusted UPF IP addresses to communicate with the SMF on UDP port 8805.
- Drop or inspect malformed PFCP SessionReportRequest messages at the network edge where feasible to prevent malformed packets from reaching the SMF.
- Implement a recover() mechanism around the PFCP handler dispatch in the SMF code to prevent the entire process from terminating upon receiving malformed messages (mitigation only).
Note that no upstream patch is currently available, so these workarounds are necessary to reduce the risk until a proper fix is released.