CVE-2026-1974 identifies a denial of service (DoS) vulnerability in Free5GC, an open-source 5G core network implementation widely used for research and production environments. The vulnerability resides in the SMF (Session Management Function) component, specifically within the ResolveNodeIdToIp function located in internal/sbi/processor/datapath.go. This function is responsible for resolving node identifiers to IP addresses, a critical step in routing and session management within the 5G core. An attacker can remotely send crafted requests that manipulate this function, causing it to malfunction and leading to a denial of service condition. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the ease of exploitation (network vector, no privileges required) and the impact limited to availability. No known exploits have been observed in the wild yet, but a public exploit is available, increasing the risk of future attacks. The vulnerability affects Free5GC versions 4.0 and 4.1.0, and a patch is recommended to remediate the issue. Given Free5GC's role in 5G core networks, this vulnerability can disrupt session management and degrade or halt 5G service delivery.

For European organizations, particularly telecom operators and service providers deploying Free5GC in their 5G core networks, this vulnerability poses a significant risk to network availability and service continuity. A successful denial of service attack could disrupt session management, leading to dropped connections, degraded user experience, and potential outages affecting critical communications infrastructure. This is especially impactful in countries aggressively rolling out 5G services or those relying on open-source 5G core implementations to reduce costs or increase flexibility. Disruptions could affect not only consumer mobile services but also enterprise and industrial applications dependent on 5G connectivity, including IoT, smart cities, and emergency services. The remote and unauthenticated nature of the exploit increases the attack surface, potentially allowing malicious actors to target networks without insider access. While no widespread exploitation is reported yet, the availability of a public exploit raises the likelihood of opportunistic attacks. Regulatory and compliance implications may arise if service level agreements (SLAs) are breached due to outages caused by this vulnerability.

European organizations should immediately verify if their 5G core deployments use Free5GC versions 4.0 or 4.1.0 and prioritize applying the official patch once available. In the absence of a patch, network administrators should implement strict network segmentation and firewall rules to restrict access to the SMF component, limiting exposure to untrusted networks. Deploying anomaly detection systems to monitor for unusual traffic patterns targeting the ResolveNodeIdToIp function can help identify exploitation attempts early. Additionally, organizations should conduct regular security audits of their 5G core infrastructure and update incident response plans to include scenarios involving denial of service attacks on core network functions. Collaboration with vendors and open-source communities is recommended to stay informed about updates and emerging threats. Finally, consider deploying redundancy and failover mechanisms within the 5G core to minimize service disruption impact if an attack occurs.