CVE-2026-25501 is a vulnerability in the free5GC open-source 5G core network project, specifically in its Session Management Function (SMF) component up to version 1.4.1. The issue is a NULL pointer dereference (CWE-476) caused by processing a malformed PFCP SessionReportRequest message received on the SMF's PFCP interface, which listens on UDP port 8805. PFCP (Packet Forwarding Control Protocol) is used between the SMF and User Plane Function (UPF) to manage session state and forwarding rules. When the SMF receives a malformed SessionReportRequest, it attempts to dereference a nil pointer, causing the SMF process to panic and terminate unexpectedly. This results in a denial of service (DoS) condition, disrupting session management in the 5G core network. The vulnerability does not require authentication, user interaction, or privileges, and can be exploited remotely by sending crafted PFCP messages. No official upstream patch is currently available, but mitigations include network-level access control lists (ACLs) or firewalls to restrict PFCP interface access to trusted UPF IP addresses, dropping or inspecting malformed PFCP messages at the network edge, and adding recovery code (e.g., Go's recover() function) around the PFCP handler dispatch to prevent the entire SMF process from crashing. The CVSS 4.0 base score is 6.6, reflecting medium severity due to the impact on availability and ease of remote exploitation without authentication. This vulnerability highlights the risks in open-source 5G core components and the importance of robust input validation and fault tolerance in critical telecom infrastructure.

The primary impact of CVE-2026-25501 is a denial of service condition affecting the SMF component of the free5GC 5G core network. The SMF is responsible for session management, including establishing and maintaining user sessions and forwarding rules between the control and user planes. If the SMF process terminates unexpectedly, it can disrupt ongoing sessions, degrade network performance, and potentially cause service outages for mobile subscribers. This can affect mobile network operators relying on free5GC or similar open-source 5G core implementations, leading to customer dissatisfaction, revenue loss, and reputational damage. Additionally, the vulnerability could be exploited by attackers to cause targeted disruptions or as part of a larger attack chain against 5G infrastructure. Since the vulnerability can be triggered remotely without authentication, it increases the attack surface. However, the lack of known exploits in the wild and the requirement to send malformed PFCP messages somewhat limit immediate widespread exploitation. Still, the critical role of SMF in 5G networks means that even temporary outages can have significant operational impacts.

To mitigate CVE-2026-25501, organizations should implement the following specific measures: 1) Restrict access to the SMF PFCP interface (UDP port 8805) using network ACLs or firewalls to allow only trusted UPF IP addresses, minimizing exposure to spoofed or malicious PFCP messages. 2) Deploy deep packet inspection or protocol-aware filtering at the network edge to detect and drop malformed PFCP SessionReportRequest messages before they reach the SMF. 3) Modify the free5GC SMF codebase to add recovery mechanisms (e.g., Go's recover() function) around the PFCP handler dispatch to prevent the entire SMF process from crashing due to nil pointer dereferences. 4) Monitor SMF logs and network traffic for unusual PFCP message patterns or frequent process crashes indicative of exploitation attempts. 5) Engage with the free5GC community and vendors for updates or patches addressing this vulnerability and plan timely upgrades once fixes are available. 6) Consider deploying redundant SMF instances and failover mechanisms to maintain service continuity in case of process termination. These targeted mitigations go beyond generic advice by focusing on protocol-specific controls and code-level resilience.