Description
A flaw has been found in Free5GC SMF up to 4.1.0. Affected is the function HandlePfcpAssociationReleaseRequest of the file internal/pfcp/handler/handler.go of the component PFCP UDP Endpoint. Executing a manipulation can lead to null pointer dereference. The attack may be launched remotely. The exploit has been published and may be used. A patch should be applied to remediate this issue.
Published: 2026-01-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Denial of Service
Action: Patch
AI Analysis

Impact

Free5GC SMF contains a null pointer dereference in the HandlePfcpAssociationReleaseRequest function of its PFCP UDP Endpoint. When the SMF processes a malformed PFCP Association Release Request, the handler dereferences a nil pointer, causing the SMF process to crash. This crash results in a denial of service for the affected SMF, disrupting routing and control functions in the 5G core. The vulnerability is identified as CWE‑476 (Null Pointer Dereference) and does not allow arbitrary code execution. The description states that the attack may be launched remotely, implying a crafted PFCP message is needed; this is inferred from the wording that a manipulation can lead to the dereference. Risk is further defined by a CVSS score of 6.9, indicating medium severity, and an EPSS of <1%, suggesting exploitation is currently unlikely although an exploit has already been published. The vulnerability is not listed in the CISA KEV catalog, so no immediate alerts are issued. However, because the flaw can be triggered by a single crafted PFCP Association Release Request over UDP, the attack remains possible until a patch is applied.

Affected Systems

Free5GC SMF component versions up to 4.1.0 are affected. The flaw resides in the internal/pfcp/handler/handler.go file within the PFCP UDP Endpoint of the SMF. Users running the open‑source 5G core stack should verify that their SMF deployment is newer than 4.1.0 to avoid the vulnerability.

Risk and Exploitability

The medium CVSS score reflects the potential for a denial of service but not for arbitrary code execution. With an EPSS of <1%, current exploitation rates are low, yet the existence of a publicly released exploit raises concern. The vulnerability is not present in CISA KEV, indicating no current active advisories. The flaw can be triggered remotely by an attacker sending a crafted PFCP Association Release Request, which is inferred to be the required input to trigger the null pointer dereference, but no further privileges are gained. Until a patch is applied, the SMF remains exposed to potential crashes from malicious PFCP traffic.

Generated by OpenCVE AI on April 18, 2026 at 14:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Free5GC SMF patch that upgrades HandlePfcpAssociationReleaseRequest to a release newer than 4.1.0.
  • Configure firewall rules to restrict PFCP UDP traffic so the SMF accepts messages only from authenticated peers, thereby limiting the attack surface while the patch is applied.
  • After applying the patch, restart the SMF service to load the updated binary and ensure the crash condition no longer occurs.

Generated by OpenCVE AI on April 18, 2026 at 14:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
References

Tue, 17 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc free5gc
CPEs cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*
Vendors & Products Free5gc free5gc

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc smf
Vendors & Products Free5gc
Free5gc smf

Fri, 30 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Free5GC SMF up to 4.1.0. Affected is the function HandlePfcpAssociationReleaseRequest of the file internal/pfcp/handler/handler.go of the component PFCP UDP Endpoint. Executing a manipulation can lead to null pointer dereference. The attack may be launched remotely. The exploit has been published and may be used. A patch should be applied to remediate this issue.
Title Free5GC SMF PFCP UDP Endpoint handler.go HandlePfcpAssociationReleaseRequest null pointer dereference
Weaknesses CWE-404
CWE-476
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Free5gc Free5gc Smf
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:08:18.220Z

Reserved: 2026-01-30T07:35:31.971Z

Link: CVE-2026-1682

cve-icon Vulnrichment

Updated: 2026-01-30T14:50:35.372Z

cve-icon NVD

Status : Modified

Published: 2026-01-30T14:16:07.100

Modified: 2026-02-23T10:16:18.610

Link: CVE-2026-1682

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:30:02Z

Weaknesses