CVE-2026-26024 is a vulnerability classified as CWE-476 (NULL Pointer Dereference) found in the Session Management Function (SMF) of free5GC, an open-source 5G core network project. The SMF component handles session management and communicates over the PFCP protocol on UDP port 8805. In versions up to and including 1.4.1, the SMF improperly handles malformed PFCP SessionReportRequest messages, leading to a NULL pointer dereference. This causes the SMF process to panic and terminate unexpectedly, resulting in a denial of service condition. The vulnerability can be triggered remotely without authentication or user interaction, making it accessible to attackers who can send crafted PFCP messages to the SMF interface. No official upstream patch is available at the time of disclosure. Workarounds include restricting PFCP interface access to trusted User Plane Function (UPF) IP addresses using ACLs or firewalls to reduce spoofing and abuse potential. Additionally, network edge devices can be configured to drop or inspect malformed PFCP SessionReportRequest messages to prevent them from reaching the SMF. Another mitigation is to modify the SMF code to add recover() constructs around the PFCP handler dispatch to prevent the entire process from terminating upon encountering malformed packets. The CVSS v4.0 base score is 6.6 (medium severity), reflecting network attack vector, low complexity, no privileges or user interaction required, and high impact on availability. This vulnerability poses a risk to the stability and availability of 5G core networks using free5GC SMF, potentially disrupting session management and impacting subscriber services.

The primary impact of CVE-2026-26024 is a denial of service condition on the free5GC SMF component, which is critical for managing sessions in 5G core networks. An attacker who can send crafted PFCP SessionReportRequest messages can cause the SMF to crash, leading to service interruptions. This can degrade network reliability, cause dropped or failed sessions, and impact subscriber experience. In large-scale deployments, repeated exploitation could lead to widespread service outages or force failover to backup systems, increasing operational complexity and costs. Since the SMF is a core network function, its unavailability can affect multiple downstream network functions and services, potentially impacting emergency communications, IoT devices, and enterprise customers relying on 5G connectivity. The vulnerability does not directly expose sensitive data or allow code execution, but the availability impact is significant in the context of telecommunications infrastructure. Organizations using free5GC SMF must consider the risk of targeted attacks or accidental malformed traffic causing outages, especially in environments with less controlled network perimeters.

To mitigate CVE-2026-26024, organizations should implement the following specific measures: 1) Restrict access to the PFCP interface (UDP port 8805) using ACLs or firewalls to allow only trusted User Plane Function (UPF) IP addresses. This reduces the attack surface by preventing unauthorized or spoofed PFCP messages from reaching the SMF. 2) Deploy network edge filtering or deep packet inspection to detect and drop malformed PFCP SessionReportRequest messages before they reach the SMF. This can be done using specialized network security appliances or custom filtering rules. 3) Modify the SMF codebase to add recover() or equivalent exception handling around the PFCP handler dispatch logic to prevent the entire SMF process from terminating on malformed input. This is a mitigation only until an official patch is released. 4) Monitor SMF logs and network traffic for unusual PFCP message patterns or repeated crashes to detect potential exploitation attempts early. 5) Plan for rapid incident response and failover mechanisms to maintain service continuity if the SMF becomes unavailable. 6) Stay updated with free5GC project releases and apply official patches promptly once available. These mitigations go beyond generic advice by focusing on network-level controls and code-level resilience specific to the PFCP interface and SMF behavior.