Cyber Resilience

CVE-2025-70122

HighPublic PoC

Published: 13 February 2026

Published
13 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0020 42.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-70122 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Free5Gc Free5Gc. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 42.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2025-70122 is a heap buffer overflow vulnerability in the UPF component of free5GC version 4.0.1. The issue occurs in the SDFFilterFields.UnmarshalBinary function (sdf-filter.go) when processing a declared length that exceeds the actual buffer capacity, resulting in a runtime panic and UPF crash. Published on 2026-02-13 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-122, it enables remote denial of service via a crafted PFCP Session Modification Request.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a specially crafted PFCP Session Modification Request, attackers can trigger the buffer overflow, causing a runtime panic that crashes the UPF component and disrupts service availability.

Mitigation details are available in the GitHub issue at https://github.com/free5gc/free5gc/issues/746.

EU & UK References

Vulnerability details

A heap buffer overflow vulnerability in the UPF component of free5GC v4.0.1 allows remote attackers to cause a denial of service via a crafted PFCP Session Modification Request. The issue occurs in the SDFFilterFields.UnmarshalBinary function (sdf-filter.go) when processing a declared…

more

length that exceeds the actual buffer capacity, leading to a runtime panic and UPF crash.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Heap buffer overflow in network-facing UPF component triggers remote crash/panic on crafted PFCP message, directly mapping to application/system exploitation for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-70123Same product: Free5Gc Free5Gc
CVE-2026-33063Same product: Free5Gc Free5Gc
CVE-2026-2525Same product: Free5Gc Free5Gc
CVE-2026-1976Same product: Free5Gc Free5Gc
CVE-2026-44322Same product: Free5Gc Free5Gc
CVE-2026-1684Same product: Free5Gc Free5Gc
CVE-2025-70121Same product: Free5Gc Free5Gc
CVE-2026-1683Same product: Free5Gc Free5Gc
CVE-2026-1973Same product: Free5Gc Free5Gc
CVE-2026-30653Same product: Free5Gc Free5Gc

Affected Assets

free5gc
free5gc
4.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of PFCP Session Modification Request lengths and structures to prevent heap buffer overflows during unmarshaling in SDFFilterFields.UnmarshalBinary.

prevent

Mandates timely identification, reporting, and remediation of the specific heap buffer overflow flaw in free5GC v4.0.1 UPF component.

prevent

Ensures error handling for buffer capacity exceedances prevents runtime panics and UPF crashes instead of compromising availability.

References