Description
A vulnerability has been found in Free5GC pcf up to 1.4.1. This affects the function HandleCreateSmPolicyRequest of the file internal/sbi/processor/smpolicy.go. The manipulation leads to null pointer dereference. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is df535f5524314620715e842baf9723efbeb481a7. Applying a patch is the recommended action to fix this issue.
Published: 2026-02-02
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

A null pointer dereference occurs in the function HandleCreateSmPolicyRequest within the Free5GC pcf component. The flaw allows an attacker to send a specially crafted request that causes the service to dereference a null pointer, terminating the process. Because the crash disrupts the policy management functionality, an attacker can cause a denial of service. The vulnerability exemplifies weaknesses identified by CWE-476 and CWE-404.

Affected Systems

The affected vendor is Free5GC, specifically the pcf component of the 5G core network. Versions up to and including 1.4.1 are vulnerable; the fix is contained in commit df535f5524314620715e842baf9723efbeb481a7. Exact version numbers beyond 1.4.1 are not listed, so any earlier or equal releases are considered affected until an update is applied.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score is less than 1%, suggesting that exploitation is unlikely under normal circumstances. The vulnerability is not present in the CISA KEV catalog. Attackers can reach the flaw remotely by targeting the smpolicy service endpoints. A successful exploit would drop the policy management process, leading to a service outage for the 5G core.

Generated by OpenCVE AI on April 18, 2026 at 00:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch identified by commit df535f5524314620715e842baf9723efbeb481a7 to the Free5GC pcf component.
  • Upgrade to the latest released version of Free5GC pcf (post‑1.4.1) if available.
  • Verify the hardened behavior by testing the creation of a Subscriber Mobility Management policy and ensuring the service remains stable.

Generated by OpenCVE AI on April 18, 2026 at 00:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:free5gc:pcf:*:*:*:*:*:*:*:*

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc pcf
Vendors & Products Free5gc
Free5gc pcf

Mon, 02 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Free5GC pcf up to 1.4.1. This affects the function HandleCreateSmPolicyRequest of the file internal/sbi/processor/smpolicy.go. The manipulation leads to null pointer dereference. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is df535f5524314620715e842baf9723efbeb481a7. Applying a patch is the recommended action to fix this issue.
Title Free5GC pcf smpolicy.go HandleCreateSmPolicyRequest null pointer dereference
Weaknesses CWE-404
CWE-476
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Free5gc Pcf
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:12:55.936Z

Reserved: 2026-02-01T07:50:20.426Z

Link: CVE-2026-1739

cve-icon Vulnrichment

Updated: 2026-02-02T14:21:09.619Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T02:16:10.823

Modified: 2026-02-11T19:35:36.320

Link: CVE-2026-1739

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:00:11Z

Weaknesses