CVE-2026-26025 is a vulnerability classified as CWE-476 (NULL Pointer Dereference) found in the Session Management Function (SMF) of free5GC, an open-source 5G core network project. The flaw exists in versions up to and including 1.4.1. The SMF component processes PFCP (Packet Forwarding Control Protocol) messages over UDP port 8805, which is used for control plane communication between the SMF and User Plane Functions (UPFs). When the SMF receives a malformed PFCP SessionReportRequest message, it dereferences a NULL pointer, causing the SMF process to panic and terminate unexpectedly. This results in a denial-of-service (DoS) condition, disrupting session management in the 5G core network. The vulnerability can be exploited remotely without authentication or user interaction, making it accessible to attackers who can send crafted PFCP messages to the SMF. No official patch or upstream fix is currently available. However, workarounds include restricting access to the PFCP interface to trusted UPF IP addresses using ACLs or firewalls to reduce the attack surface and prevent spoofing. Additionally, malformed PFCP messages can be dropped or inspected at the network edge to prevent them from reaching the SMF. Another mitigation involves adding recover() constructs around the PFCP handler dispatch code to prevent the entire SMF process from crashing, thus improving resilience. The CVSS 4.0 base score is 6.6 (medium severity), reflecting the network attack vector, lack of required privileges, and the high impact on availability due to process termination. The vulnerability does not affect confidentiality or integrity directly. Given the critical role of SMF in 5G core networks, this vulnerability poses a significant risk to network stability and service continuity.

The primary impact of CVE-2026-26025 is a denial-of-service condition in the 5G core network's Session Management Function, which can cause session disruptions and potential service outages for mobile subscribers. Since SMF is responsible for session establishment, modification, and release, its unavailability can lead to dropped calls, failed data sessions, and degraded user experience. This can affect mobile network operators relying on free5GC or similar open-source 5G core implementations, especially in testbeds, research environments, or early deployments. The vulnerability could be exploited by attackers to disrupt network operations remotely without authentication, increasing the risk of targeted attacks or opportunistic disruptions. Although no known exploits are currently in the wild, the ease of exploitation and the criticality of the SMF function mean that attackers could develop exploits. This could have cascading effects on dependent network functions and services, potentially impacting emergency communications and critical infrastructure relying on 5G connectivity. The lack of an official patch increases the window of exposure, making mitigation and network-level protections essential.

1. Implement strict ACLs or firewall rules on the PFCP interface (UDP/8805) to allow only trusted and authenticated UPF IP addresses to communicate with the SMF, minimizing exposure to spoofed or malicious packets. 2. Deploy deep packet inspection or protocol-aware filtering at the network edge to detect and drop malformed PFCP SessionReportRequest messages before they reach the SMF. 3. Modify the SMF codebase to include recover() or equivalent exception handling around the PFCP message handler dispatch to prevent the entire SMF process from terminating upon encountering malformed messages, thus improving resilience. 4. Monitor SMF process health and PFCP traffic patterns to detect anomalies indicative of exploitation attempts or malformed message floods. 5. Engage with the free5GC community and maintain awareness for official patches or updates addressing this vulnerability and plan timely upgrades once available. 6. Consider network segmentation to isolate the PFCP interface and limit the blast radius of any potential exploitation. 7. Conduct regular security assessments and fuzz testing on PFCP interfaces to proactively identify and remediate similar vulnerabilities.