Description
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
Published: 2026-02-24
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Workaround
AI Analysis

Impact

A nil pointer dereference in free5GC SMF leads to a crash when it processes a malformed PFCP SessionReportRequest that omits the mandatory URRID sub-IE while ReportType.USAR equals 1. The crash terminates the SMF process, causing a loss of session management services. Because the crash occurs without requiring code execution, the primary impact is service disruption, not data compromise.

Affected Systems

The vulnerability affects the free5GC SMF component of the free5GC open‑source 5G core network. Versions up to and including 1.4.1 are impacted. All deployments of SMF that accept PFCP messages on UDP port 8805 are potentially susceptible unless mitigations are applied.

Risk and Exploitability

The CVSS score of 6.6 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the crash by sending a crafted PFCP SessionReportRequest from a remote host that the SMF accepts. Therefore, the primary attack surface is remote network traffic to PFCP. While there are no documented exploits, the low EPSS score reflects that the exploit window is narrow, but the impact to availability makes it a concern for high‑availability deployments.

Generated by OpenCVE AI on April 17, 2026 at 16:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict the PFCP interface using ACLs or firewalls so that only trusted UPF IPs can reach the SMF process.
  • Drop or inspect malformed PFCP SessionReportRequest messages at the edge of the network before they reach SMF when possible.
  • Wrap the PFCP handler dispatch in a recover() call to prevent a single malformed packet from causing the entire SMF process to terminate.

Generated by OpenCVE AI on April 17, 2026 at 16:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:free5gc:smf:*:*:*:*:*:go:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc smf
Vendors & Products Free5gc
Free5gc smf

Tue, 24 Feb 2026 00:45:00 +0000

Type Values Removed Values Added
Description free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
Title free5GC SMF crash (nil pointer dereference) on PFCP SessionReportRequest when ReportType.USAR=1 and UsageReport omits mandatory URRID sub-IE 
Weaknesses CWE-476
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Free5gc Smf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:30:03.495Z

Reserved: 2026-02-09T21:36:29.555Z

Link: CVE-2026-26024

cve-icon Vulnrichment

Updated: 2026-02-26T14:29:51.019Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T01:16:15.087

Modified: 2026-02-25T16:27:56.640

Link: CVE-2026-26024

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:15:22Z

Weaknesses