Description
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
Published: 2026-02-24
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Service Disruption (Denial of Service)
Action: Apply Workaround
AI Analysis

Impact

A nil pointer dereference in the free5GC SMF causes a panic and process termination when a malformed PFCP SessionReportRequest is processed; the fault occurs when ReportType.USAR equals one and a mandatory URRID sub‑information element is omitted. Because the panic crashes the SMF process, a single crafted request can bring down the entire session management function, leading to denial of service of the 5G core network spokes it supports.

Affected Systems

The vulnerability affects the free5GC Session Management Function (SMF), versions up to and including 1.4.1, deployed by operators using the open‑source free5GC 5G core stack.

Risk and Exploitability

The CVSS base score is 6.6, reflecting moderate severity. The EPSS score is less than 1 %, indicating a low probability of exploitation in the wild, and the issue is not listed in CISA’s KEV catalog. The flaw is reachable remotely via the PFCP UDP interface on port 8805, so an attacker with network access to the SMF endpoint can send the malformed SessionReportRequest and trigger a crash.

Generated by OpenCVE AI on April 17, 2026 at 16:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Configure the firewall or ACL on the SMF host to allow PFCP traffic only from trusted UPF IP addresses, thereby reducing spoofing and abuse surface.
  • Install packet inspection or filtering at the network edge to drop or quarantine malformed PFCP SessionReportRequest messages before they reach the SMF process.
  • Wrap the PFCP request handler with a recover() guard in the SMF code to prevent a full‑process crash when a panic occurs; this mitigates the impact until an official upstream fix becomes available.

Generated by OpenCVE AI on April 17, 2026 at 16:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:free5gc:smf:*:*:*:*:*:go:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc smf
Vendors & Products Free5gc
Free5gc smf

Tue, 24 Feb 2026 00:45:00 +0000

Type Values Removed Values Added
Description free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
Title free5GC SMF crash (nil pointer dereference) on PFCP SessionReportRequest when ReportType.USAR=1 and UsageReport omits mandatory URRID sub-IE 
Weaknesses CWE-476
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Free5gc Smf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:31:19.868Z

Reserved: 2026-02-09T21:36:29.555Z

Link: CVE-2026-26025

cve-icon Vulnrichment

Updated: 2026-02-26T14:31:09.892Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T01:16:15.237

Modified: 2026-02-25T16:28:24.257

Link: CVE-2026-26025

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:15:22Z

Weaknesses