Executive Summary

CVE-2026-26025 is a remote denial-of-service vulnerability in the free5gc SMF (Session Management Function) component, which is part of an open-source 5G mobile core network project. The vulnerability occurs when the SMF processes a malformed PFCP (Packet Forwarding Control Protocol) SessionReportRequest message that has the ReportType.USAR flag set to 1 (indicating a Usage Report) but omits the mandatory URRID (Usage Report Reference ID) sub-information element.

Due to missing validation, the SMF dereferences a nil pointer when accessing the URRID field, causing the SMF process to panic and terminate unexpectedly. This crash results in a denial of service. The vulnerability can be triggered remotely by a User Plane Function (UPF) or an attacker spoofing a UPF sending a crafted malformed PFCP SessionReportRequest.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the free5gc SMF process to crash and terminate unexpectedly when it receives a specially crafted malformed PFCP SessionReportRequest message. This leads to a denial of service (DoS) condition, disrupting the session management functionality of the 5G core network.

An attacker who can send or spoof PFCP messages to the SMF can exploit this vulnerability remotely, potentially causing network outages or degraded service availability by crashing the SMF component.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the PFCP (UDP port 8805) interface for malformed SessionReportRequest messages, specifically those with the ReportType.USAR flag set to 1 and missing the mandatory URRID sub-IE.

One practical approach is to capture and analyze PFCP traffic to identify malformed SessionReportRequest messages that could trigger the SMF crash.

• Use packet capture tools like tcpdump to monitor PFCP traffic on UDP port 8805: tcpdump -i <interface> udp port 8805 -w pfcp_capture.pcap
• Analyze captured packets with Wireshark or similar tools to inspect SessionReportRequest messages for missing URRID sub-IE when ReportType.USAR=1.
• Monitor SMF logs for panic or crash messages related to nil pointer dereference or unexpected termination.

Additionally, a Go-based Proof-of-Concept tool exists that can simulate sending malformed PFCP SessionReportRequest messages to test if the SMF is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the PFCP interface to reduce the attack surface and prevent unauthorized or spoofed PFCP messages.

• Apply ACLs or firewall rules to allow only trusted UPF IP addresses to communicate with the SMF on UDP port 8805.
• Drop or inspect malformed PFCP SessionReportRequest messages at the network edge where feasible to prevent malformed packets from reaching the SMF.
• Implement a recover() mechanism around the PFCP handler dispatch in the SMF code to prevent the entire process from terminating upon receiving malformed messages (mitigation only).

Note that no upstream patch is currently available, so these workarounds are necessary to reduce the risk until a proper fix is released.

Useful 0 Not Useful 0