CVE-2025-70122 is a heap buffer overflow vulnerability identified in the User Plane Function (UPF) component of free5GC version 4.0.1, an open-source 5G core network implementation. The vulnerability arises in the SDFFilterFields.UnmarshalBinary function within the sdf-filter.go source file. Specifically, when processing a PFCP (Packet Forwarding Control Protocol) Session Modification Request, the function reads a declared length field that can exceed the actual buffer capacity. This discrepancy leads to a heap buffer overflow, causing a runtime panic that crashes the UPF process. The UPF is a critical element in 5G networks responsible for forwarding user data packets between the radio access network and external data networks. The vulnerability can be exploited remotely by an unauthenticated attacker sending a specially crafted PFCP Session Modification Request, resulting in a denial of service (DoS) condition by crashing the UPF and disrupting data forwarding. The CVSS v3.1 base score is 7.5, reflecting high severity due to network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although no public exploits are currently known, the impact on network availability is significant given the UPF's role. The vulnerability is categorized under CWE-122 (Heap-based Buffer Overflow). No patches or fixes are currently linked, indicating the need for immediate attention from operators using free5GC. Mitigation requires careful input validation and bounds checking in the affected function to prevent buffer overflows. Given the critical role of UPF in 5G core networks, this vulnerability poses a substantial risk to service continuity and network reliability.

The primary impact of CVE-2025-70122 is a denial of service condition caused by crashing the UPF component in free5GC 5G core networks. The UPF is responsible for forwarding user plane traffic, so its unavailability can disrupt data sessions, degrade user experience, and potentially cause widespread service outages. Organizations relying on free5GC for 5G core infrastructure, including telecom operators and private network providers, may experience network instability and loss of connectivity for subscribers. This can affect critical services dependent on 5G connectivity, such as IoT deployments, industrial automation, and emergency communications. The vulnerability does not directly compromise confidentiality or integrity but severely impacts availability. Since the attack vector is network-based and requires no authentication or user interaction, exploitation can be automated and launched remotely, increasing the risk of large-scale disruption. The absence of known exploits in the wild currently limits immediate threat but does not reduce the urgency for mitigation. The vulnerability could be leveraged in targeted attacks against telecom infrastructure or by threat actors aiming to cause service outages in strategic regions. Overall, the impact is high due to the critical nature of the affected component and ease of exploitation.

To mitigate CVE-2025-70122, organizations should first monitor for updates or patches from the free5GC project and apply them promptly once available. In the absence of an official patch, operators should implement strict input validation and bounds checking on PFCP messages, particularly the Session Modification Requests, to ensure declared lengths do not exceed buffer capacities. Network-level protections such as filtering or rate limiting PFCP traffic from untrusted sources can reduce exposure. Deploying anomaly detection systems to identify malformed PFCP packets may help detect exploitation attempts early. Operators should also consider segmenting the 5G core network to limit the attack surface and restrict access to the UPF from external or less trusted networks. Regularly auditing and testing the UPF component with fuzzing tools targeting PFCP message parsing can uncover similar vulnerabilities proactively. Finally, maintaining comprehensive logging and alerting on UPF crashes or unusual PFCP traffic patterns will aid in rapid incident response.