Cyber Resilience

CVE-2026-1975

MediumPublic PoC

Published: 06 February 2026

Published
06 February 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0015 35.9th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1975 is a medium-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Free5Gc Free5Gc. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-1975 is a null pointer dereference vulnerability in the identityTriggerType function within the pfcp_reports.go file of Free5GC, affecting versions up to 4.1.0. Free5GC is an open-source implementation of 5G core network functions. The flaw, associated with CWE-404 ( Improper Resource Shutdown or Release) and CWE-476 (NULL Pointer Dereference), has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating medium severity with low impact primarily on availability.

The vulnerability can be exploited remotely by unauthenticated attackers over the network with low complexity and no user interaction required. Successful exploitation triggers a null pointer dereference, resulting in a denial-of-service condition through application crashes or instability, but without impacts on confidentiality or integrity.

Mitigation involves applying patches, as advised in the vulnerability disclosure. Relevant GitHub references include free5gc/free5gc issues #814 and the associated comment #3831993593, along with a pull request in free5gc/smf #189 that addresses the issue. An exploit is publicly available, increasing the risk of real-world attacks on unpatched systems.

EU & UK References

Vulnerability details

A security flaw has been discovered in Free5GC up to 4.1.0. This impacts the function identityTriggerType of the file pfcp_reports.go. The manipulation results in null pointer dereference. The attack can be executed remotely. The exploit has been released to the…

more

public and may be used for attacks. Applying a patch is advised to resolve this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated null dereference exploit in public-facing 5G network function directly enables T1190 for initial access and T1499.004 for application-layer DoS via crafted input.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1682Same product: Free5Gc Free5Gc
CVE-2026-1974Same product: Free5Gc Free5Gc
CVE-2026-1973Same product: Free5Gc Free5Gc
CVE-2026-1976Same product: Free5Gc Free5Gc
CVE-2026-1684Same product: Free5Gc Free5Gc
CVE-2026-44319Same product: Free5Gc Free5Gc
CVE-2026-2525Same product: Free5Gc Free5Gc
CVE-2026-44325Same product: Free5Gc Free5Gc
CVE-2026-44321Same product: Free5Gc Free5Gc
CVE-2026-33063Same product: Free5Gc Free5Gc

Affected Assets

free5gc
free5gc
≤ 4.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of patches to remediate the publicly disclosed null-pointer flaw in pfcp_reports.go before remote exploitation occurs.

prevent

Requires validation of PFCP protocol inputs to the identityTriggerType function, blocking the malformed messages that trigger the null dereference.

prevent

Mandates consistent error handling for unexpected null conditions so that a dereference results in graceful termination rather than a DoS crash.

References