CVE-2026-2525
Published: 16 February 2026
Summary
CVE-2026-2525 is a medium-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Free5Gc Free5Gc. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-2525 is a vulnerability discovered in Free5GC versions up to 4.1.0, affecting an unknown function within the PFCP UDP Endpoint component. Manipulation of this function leads to a denial of service condition. The issue is classified under CWE-404 and has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating medium severity with low impact on availability and no effects on confidentiality or integrity. It was published on 2026-02-16.
The vulnerability enables remote exploitation without requiring user interaction or privileges. Attackers can trigger the denial of service by sending manipulated packets to the PFCP UDP Endpoint, potentially disrupting service availability for affected Free5GC deployments.
References include the Free5GC GitHub repository (https://github.com/free5gc/free5gc/) and specific issues #796 (https://github.com/free5gc/free5gc/issues/796 and https://github.com/free5gc/free5gc/issues/796#issue-3812169865), along with VulDB entries (https://vuldb.com/?ctiid.346113 and https://vuldb.com/?id.346113). The exploit has been publicly disclosed and may be used, though no specific patch or mitigation details are outlined in the provided description.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6138
Vulnerability details
A vulnerability has been found in Free5GC up to 4.1.0. This affects an unknown function of the component PFCP UDP Endpoint. Such manipulation leads to denial of service. The attack can be launched remotely. The exploit has been disclosed to…
more
the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes remote unauthenticated exploitation of a PFCP UDP service (via crafted packets) that directly triggers a denial-of-service condition (CWE-404), matching the definition of Application or System Exploitation under Endpoint Denial of Service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires mechanisms to protect against or limit effects of denial-of-service attacks targeting network endpoints such as the PFCP UDP listener.
Mandates validation of all inputs to the PFCP UDP Endpoint so that malformed or malicious packets cannot trigger the denial-of-service condition.
Enforces boundary filtering and traffic control that can restrict or drop crafted PFCP packets before they reach the vulnerable UDP endpoint.