CVE-2025-65568 is a denial-of-service vulnerability identified in the omec-project UPF (User Plane Function) specifically within the pfcpiface component version 2.1.3-dev. The vulnerability occurs after a PFCP (Packet Forwarding Control Protocol) association is established. When the UPF receives a PFCP Session Establishment Request containing a CreateFAR (Forwarding Action Rule) with an empty or truncated IPv4 address field, the pfcpiface component fails to properly validate this input. During processing, the parseFAR() function calls ip2int(), which attempts to read the IPv4 address buffer. Due to the malformed input, this results in an out-of-bounds read leading to an index-out-of-range panic, causing the UPF process to crash. This crash disrupts the user-plane services that the UPF provides, effectively causing a denial-of-service condition. The vulnerability can be exploited remotely without authentication or user interaction by sending crafted PFCP messages to the UPF's N4/PFCP interface. The CVSS v3.1 base score is 7.5, reflecting high severity due to network attack vector, no privileges required, and high impact on availability. No patches or known exploits are currently publicly available. The CWE classification is CWE-125 (Out-of-bounds Read). This vulnerability primarily affects 5G core network components that implement the omec-project UPF, an open-source user plane function used in some telecom operator deployments.

For European organizations, particularly telecom operators and mobile network providers deploying 5G infrastructure using the omec-project UPF, this vulnerability poses a significant risk to network availability. Exploitation can cause repeated crashes of the UPF, disrupting user-plane traffic and potentially leading to service outages affecting mobile data connectivity for end users. This can impact critical services relying on 5G networks, including IoT applications, emergency communications, and enterprise connectivity. The denial-of-service condition could also degrade customer experience and result in financial losses or regulatory penalties. Since the vulnerability does not affect confidentiality or integrity, data breaches are unlikely; however, the availability impact on essential telecom infrastructure is severe. The lack of authentication requirements and ease of exploitation over the network increase the threat level. European telecom operators with open-source or customized 5G core deployments are particularly vulnerable, especially if they have not yet implemented mitigations or patches.

To mitigate CVE-2025-65568, European telecom operators should immediately audit their 5G core network deployments to identify instances of the omec-project UPF pfcpiface component version 2.1.3-dev or similar vulnerable versions. Operators should implement strict input validation on PFCP Session Establishment Requests, specifically verifying the presence and correctness of IPv4 address fields in CreateFAR elements before processing. Network-level filtering or rate limiting of PFCP messages from untrusted sources can reduce exposure to malicious traffic. Operators should monitor UPF logs and system health for signs of crashes or abnormal behavior indicative of exploitation attempts. Since no official patch is currently available, operators should engage with the omec-project community or vendors for updates and apply patches promptly once released. Additionally, deploying redundancy and failover mechanisms in the user plane can minimize service disruption during an attack. Security teams should incorporate this vulnerability into their incident response plans and threat hunting activities targeting PFCP traffic anomalies.