CVE-2026-25501: CWE-476: NULL Pointer Dereference in free5gc smf
CVE-2026-25501 is a medium-severity vulnerability in free5GC's Session Management Function (SMF) component, affecting versions up to 1. 4. 1. It involves a NULL pointer dereference triggered by a malformed PFCP SessionReportRequest sent to the SMF's PFCP UDP interface (port 8805). This causes the SMF process to panic and terminate, resulting in denial of service. No upstream patch is currently available, but mitigations include restricting PFCP interface access to trusted UPF IPs, filtering malformed PFCP messages at the network edge, and adding recovery logic to prevent process crashes. The vulnerability can be exploited remotely without authentication or user interaction, impacting availability of the 5G core network's session management. Organizations deploying free5GC SMF should implement network-level controls and consider code-level hardening to reduce risk.
AI Analysis
Technical Summary
CVE-2026-25501 is a NULL pointer dereference vulnerability classified under CWE-476 affecting the Session Management Function (SMF) of free5GC, an open-source 5G core network implementation. The flaw exists in versions up to and including 1.4.1. The vulnerability is triggered when the SMF receives a malformed PFCP (Packet Forwarding Control Protocol) SessionReportRequest message on its UDP port 8805 interface. PFCP is a protocol used between the SMF and User Plane Function (UPF) in 5G networks to manage sessions and forwarding rules. The malformed message causes the SMF to dereference a nil pointer, leading to a panic and termination of the SMF process. This results in a denial of service condition, disrupting session management in the 5G core. The vulnerability requires no authentication or user interaction and can be exploited remotely by sending crafted PFCP messages. There is no known upstream patch as of the publication date, but mitigations include applying access control lists or firewall rules to restrict PFCP traffic to trusted UPF IP addresses, filtering or dropping malformed PFCP SessionReportRequest messages at network boundaries, and adding recover() mechanisms in the PFCP handler code to prevent the entire SMF process from crashing. The CVSS v4.0 base score is 6.6 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and high impact on availability. This vulnerability highlights the importance of robust input validation and error handling in critical 5G core components.
Potential Impact
The primary impact of CVE-2026-25501 is denial of service (DoS) against the free5GC SMF component, which is responsible for session management in 5G core networks. An attacker can remotely cause the SMF process to crash by sending a single malformed PFCP SessionReportRequest message, disrupting session establishment, modification, and release procedures. This can lead to service outages affecting mobile subscribers relying on the impacted 5G network, causing degraded user experience and potential revenue loss for operators. Since SMF is a central control plane function, its unavailability can also impact downstream network functions and overall network stability. The vulnerability does not directly expose confidentiality or integrity risks but poses a significant availability threat. Organizations deploying free5GC in production environments, especially those with exposed or poorly segmented PFCP interfaces, are at risk. The lack of an official patch increases reliance on network-level mitigations and code hardening. The vulnerability could be exploited by malicious actors or misconfigured devices within the operator's network or by attackers who gain access to the PFCP interface, emphasizing the need for strict access controls.
Mitigation Recommendations
To mitigate CVE-2026-25501, organizations should implement the following specific measures: 1) Restrict access to the SMF PFCP UDP port 8805 using ACLs or firewall rules to allow only trusted and authenticated UPF IP addresses, minimizing exposure to unauthorized or spoofed traffic. 2) Deploy deep packet inspection or protocol-aware filtering at network edges or gateways to detect and drop malformed PFCP SessionReportRequest messages before they reach the SMF. 3) Modify the free5GC SMF source code to add recover() constructs around the PFCP handler dispatch routines to catch nil pointer dereferences and prevent the entire process from terminating, thereby improving resilience. 4) Monitor SMF process health and PFCP traffic patterns to detect anomalies indicative of exploitation attempts. 5) Maintain network segmentation and isolate control plane interfaces to reduce the attack surface. 6) Engage with the free5GC community or vendors for updates and patches addressing this vulnerability. 7) Consider deploying redundancy and failover mechanisms for SMF instances to maintain service continuity in case of crashes. These targeted mitigations go beyond generic advice by focusing on protocol-specific controls, code-level robustness, and operational monitoring tailored to the free5GC SMF environment.
Affected Countries
United States, China, South Korea, Japan, Germany, France, United Kingdom, India, Brazil, Australia
CVE-2026-25501: CWE-476: NULL Pointer Dereference in free5gc smf
Description
CVE-2026-25501 is a medium-severity vulnerability in free5GC's Session Management Function (SMF) component, affecting versions up to 1. 4. 1. It involves a NULL pointer dereference triggered by a malformed PFCP SessionReportRequest sent to the SMF's PFCP UDP interface (port 8805). This causes the SMF process to panic and terminate, resulting in denial of service. No upstream patch is currently available, but mitigations include restricting PFCP interface access to trusted UPF IPs, filtering malformed PFCP messages at the network edge, and adding recovery logic to prevent process crashes. The vulnerability can be exploited remotely without authentication or user interaction, impacting availability of the 5G core network's session management. Organizations deploying free5GC SMF should implement network-level controls and consider code-level hardening to reduce risk.
AI-Powered Analysis
Technical Analysis
CVE-2026-25501 is a NULL pointer dereference vulnerability classified under CWE-476 affecting the Session Management Function (SMF) of free5GC, an open-source 5G core network implementation. The flaw exists in versions up to and including 1.4.1. The vulnerability is triggered when the SMF receives a malformed PFCP (Packet Forwarding Control Protocol) SessionReportRequest message on its UDP port 8805 interface. PFCP is a protocol used between the SMF and User Plane Function (UPF) in 5G networks to manage sessions and forwarding rules. The malformed message causes the SMF to dereference a nil pointer, leading to a panic and termination of the SMF process. This results in a denial of service condition, disrupting session management in the 5G core. The vulnerability requires no authentication or user interaction and can be exploited remotely by sending crafted PFCP messages. There is no known upstream patch as of the publication date, but mitigations include applying access control lists or firewall rules to restrict PFCP traffic to trusted UPF IP addresses, filtering or dropping malformed PFCP SessionReportRequest messages at network boundaries, and adding recover() mechanisms in the PFCP handler code to prevent the entire SMF process from crashing. The CVSS v4.0 base score is 6.6 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and high impact on availability. This vulnerability highlights the importance of robust input validation and error handling in critical 5G core components.
Potential Impact
The primary impact of CVE-2026-25501 is denial of service (DoS) against the free5GC SMF component, which is responsible for session management in 5G core networks. An attacker can remotely cause the SMF process to crash by sending a single malformed PFCP SessionReportRequest message, disrupting session establishment, modification, and release procedures. This can lead to service outages affecting mobile subscribers relying on the impacted 5G network, causing degraded user experience and potential revenue loss for operators. Since SMF is a central control plane function, its unavailability can also impact downstream network functions and overall network stability. The vulnerability does not directly expose confidentiality or integrity risks but poses a significant availability threat. Organizations deploying free5GC in production environments, especially those with exposed or poorly segmented PFCP interfaces, are at risk. The lack of an official patch increases reliance on network-level mitigations and code hardening. The vulnerability could be exploited by malicious actors or misconfigured devices within the operator's network or by attackers who gain access to the PFCP interface, emphasizing the need for strict access controls.
Mitigation Recommendations
To mitigate CVE-2026-25501, organizations should implement the following specific measures: 1) Restrict access to the SMF PFCP UDP port 8805 using ACLs or firewall rules to allow only trusted and authenticated UPF IP addresses, minimizing exposure to unauthorized or spoofed traffic. 2) Deploy deep packet inspection or protocol-aware filtering at network edges or gateways to detect and drop malformed PFCP SessionReportRequest messages before they reach the SMF. 3) Modify the free5GC SMF source code to add recover() constructs around the PFCP handler dispatch routines to catch nil pointer dereferences and prevent the entire process from terminating, thereby improving resilience. 4) Monitor SMF process health and PFCP traffic patterns to detect anomalies indicative of exploitation attempts. 5) Maintain network segmentation and isolate control plane interfaces to reduce the attack surface. 6) Engage with the free5GC community or vendors for updates and patches addressing this vulnerability. 7) Consider deploying redundancy and failover mechanisms for SMF instances to maintain service continuity in case of crashes. These targeted mitigations go beyond generic advice by focusing on protocol-specific controls, code-level robustness, and operational monitoring tailored to the free5GC SMF environment.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-02T18:21:42.485Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 699cf533be58cf853bf604d8
Added to database: 2/24/2026, 12:47:47 AM
Last enriched: 2/24/2026, 1:04:02 AM
Last updated: 2/24/2026, 5:41:34 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-3070: Cross Site Scripting in SourceCodester Modern Image Gallery App
MediumCVE-2026-3069: SQL Injection in itsourcecode Document Management System
MediumCVE-2026-3068: SQL Injection in itsourcecode Document Management System
MediumCVE-2026-3067: Path Traversal in HummerRisk
MediumCVE-2026-3066: Command Injection in HummerRisk
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.