free5GC is an open-source 5G core network implementation, with the go-upf component responsible for the User Plane Function (UPF). Versions of go-upf up to 1.2.6, and corresponding SMF versions up to 1.4.0, contain a vulnerability classified as CWE-20 (Improper Input Validation). Specifically, the UPF improperly processes a malformed PFCP (Packet Forwarding Control Protocol) Association Setup Request sent by a remote attacker. Instead of rejecting the malformed request, the UPF accepts it and transitions into an inconsistent internal state. This corrupted state causes legitimate subsequent PFCP requests to trigger reconnection loops in the SMF (Session Management Function), degrading service availability and causing denial of service in the 5G core network. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. As of the publication date, no patch is available, and no direct application-level mitigations exist. The issue impacts all deployments using the affected free5GC UPF and SMF versions, potentially disrupting 5G core network operations until fixed.

The primary impact of this vulnerability is denial of service within the 5G core network, specifically affecting the UPF and SMF components. Disruption of these critical network functions can lead to degraded or unavailable mobile data services for subscribers, impacting telecommunications providers and their customers. This can cause service outages, loss of connectivity, and degraded user experience. For organizations relying on free5GC for private or public 5G networks, this could interrupt business-critical communications and IoT operations. Although the CVSS score is low, the strategic importance of 5G core network availability means even short disruptions can have significant operational and reputational consequences. The vulnerability does not appear to allow data leakage or privilege escalation, limiting confidentiality and integrity impacts, but availability is clearly affected. The lack of authentication requirements and remote exploitability increase the risk of opportunistic attacks, especially in environments where free5GC is exposed to untrusted networks.

Since no patch is currently available, organizations should implement network-level protections to limit exposure of the free5GC UPF and SMF components to untrusted or public networks. Deploy strict firewall rules and access controls to restrict PFCP traffic to trusted management and control plane hosts only. Monitor network traffic for malformed PFCP Association Setup Requests and anomalous PFCP behavior indicative of exploitation attempts. Employ network segmentation to isolate the 5G core network components from other infrastructure. Prepare for rapid deployment of the official patch once released by free5GC maintainers. Additionally, consider deploying redundancy and failover mechanisms for UPF and SMF components to minimize service disruption if an attack occurs. Engage with free5GC community and vendors for updates and best practices. Avoid exposing free5GC control plane interfaces directly to the internet or untrusted environments until patched.