CVE-2026-26025 identifies a NULL pointer dereference vulnerability (CWE-476) in the Session Management Function (SMF) of free5GC, an open-source 5G core network project. The SMF component handles session management and communicates with User Plane Functions (UPFs) via the PFCP protocol over UDP port 8805. In versions up to and including 1.4.1, when the SMF receives a malformed PFCP SessionReportRequest message, it dereferences a NULL pointer, causing the SMF process to panic and terminate. This results in a denial-of-service (DoS) condition, disrupting the 5G core network's session management capabilities. The vulnerability can be exploited remotely without authentication or user interaction, as the PFCP interface is exposed for communication with UPFs. No official upstream patch is currently available, but mitigations include network-level access control to restrict PFCP traffic to trusted UPF IP addresses, deploying network edge filters to drop or inspect malformed PFCP messages, and implementing application-level recovery mechanisms (e.g., adding recover() around PFCP handler dispatch) to prevent process termination. The CVSS 4.0 base score is 6.6 (medium severity), reflecting the ease of exploitation and significant impact on availability but no impact on confidentiality or integrity. This vulnerability poses a risk to operators using free5GC SMF in production 5G networks, potentially causing service disruptions and impacting subscriber connectivity.

The primary impact of CVE-2026-26025 is a denial-of-service condition on the free5GC SMF component, which is critical for managing 5G session states. An attacker sending malformed PFCP SessionReportRequest messages can cause the SMF process to crash, leading to session management failures and potential service outages for subscribers relying on the affected 5G core network. This disruption can degrade network availability and reliability, affecting end-user experience and potentially causing revenue loss for mobile network operators. Since SMF is a core network function, its failure can cascade, impacting other 5G core components and services dependent on session continuity. The vulnerability does not expose subscriber data or allow privilege escalation, but the availability impact is significant in a production environment. Organizations relying on free5GC SMF without mitigations are at risk of targeted or opportunistic DoS attacks, especially if the PFCP interface is exposed to untrusted networks or IP addresses.

1. Implement strict Access Control Lists (ACLs) or firewall rules to restrict PFCP (UDP/8805) interface access exclusively to trusted and authenticated UPF IP addresses, minimizing exposure to spoofed or malicious traffic. 2. Deploy deep packet inspection or protocol-aware filtering at the network edge to detect and drop malformed PFCP SessionReportRequest messages before they reach the SMF, reducing attack surface. 3. Apply application-level mitigations by modifying the free5GC SMF code to include recover() or equivalent exception handling around PFCP handler dispatch routines to prevent the entire process from terminating upon encountering malformed messages. 4. Monitor SMF process health and PFCP traffic patterns to detect anomalies indicative of exploitation attempts. 5. Plan for timely updates and patches once an official fix is released by the free5GC project. 6. Consider network segmentation to isolate the PFCP interface from broader network access, limiting potential attack vectors. 7. Conduct regular security assessments and penetration testing focused on PFCP protocol handling to identify and remediate similar vulnerabilities proactively.