Cyber Resilience

CVE-2026-1976

MediumPublic PoC

Published: 06 February 2026

Published
06 February 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0015 35.9th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1976 is a medium-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Free5Gc Free5Gc. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1976 is a null pointer dereference vulnerability (CWE-404, CWE-476) affecting the SessionDeletionResponse function in the SMF component of Free5GC versions up to 4.1.0. This flaw allows remote manipulation, resulting in a denial-of-service condition due to improper handling that leads to a crash. The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating medium severity with low complexity and no requirements for privileges or user interaction.

The vulnerability can be exploited remotely by unauthenticated attackers over the network with low effort. Successful exploitation triggers a null pointer dereference, causing the SMF component to crash and disrupt service availability, though it does not compromise confidentiality or integrity.

Advisories recommend installing a patch to mitigate the issue, with details available in Free5GC GitHub issue #817 and the corresponding pull request in the smf repository (free5gc/smf/pull/189). An exploit has been publicly disclosed and could be adapted for attacks.

Free5GC is an open-source implementation of 5G core network functions, making this vulnerability relevant to deployments relying on its SMF for session management.

EU & UK References

Vulnerability details

A weakness has been identified in Free5GC up to 4.1.0. Affected is the function SessionDeletionResponse of the component SMF. This manipulation causes null pointer dereference. The attack is possible to be carried out remotely. The exploit has been made available…

more

to the public and could be used for attacks. It is suggested to install a patch to address this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Null pointer dereference in public-facing SMF service directly enables remote unauthenticated crash via application exploitation, mapping to T1499.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1973Same product: Free5Gc Free5Gc
CVE-2026-1684Same product: Free5Gc Free5Gc
CVE-2026-2525Same product: Free5Gc Free5Gc
CVE-2026-1975Same product: Free5Gc Free5Gc
CVE-2026-33063Same product: Free5Gc Free5Gc
CVE-2026-1682Same product: Free5Gc Free5Gc
CVE-2026-1683Same product: Free5Gc Free5Gc
CVE-2026-44322Same product: Free5Gc Free5Gc
CVE-2026-1974Same product: Free5Gc Free5Gc
CVE-2025-70123Same product: Free5Gc Free5Gc

Affected Assets

free5gc
free5gc
≤ 4.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of patches to remediate the publicly disclosed null-pointer flaw in Free5GC SMF SessionDeletionResponse.

prevent

Mandates validation of all inputs to the SessionDeletionResponse function, preventing the malformed remote data that triggers the null dereference.

prevent

Requires mechanisms to protect against or limit denial-of-service effects from the SMF crash caused by this unauthenticated remote attack.

References