CVE-2026-25501
Published: 24 February 2026
Summary
CVE-2026-25501 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Free5Gc Smf. Its CVSS base score is 6.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2026-25501 is a denial-of-service vulnerability in the Session Management Function (SMF) component of free5GC, an open-source implementation of 5G mobile core networks. Affecting versions up to and including 1.4.1, the issue stems from a nil pointer dereference (CWE-476) that causes the SMF process to panic and terminate. The flaw is triggered by receiving a malformed PFCP SessionReportRequest message over the SMF's PFCP interface on UDP port 8805.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is network-accessible with low attack complexity, requiring no privileges or user interaction, and results in high availability impact without affecting confidentiality or integrity. Any remote attacker able to reach the PFCP interface can exploit this by sending a crafted packet, causing repeated crashes of the SMF process and disrupting 5G session management services.
Advisories note no upstream fix is available as of publication. Recommended workarounds include firewalling or ACLs on the PFCP interface to restrict access to trusted User Plane Function (UPF) IP addresses, thereby reducing spoofing risks; inspecting or dropping malformed PFCP SessionReportRequest messages at the network edge if feasible; or implementing Go's recover() mechanism around the PFCP handler dispatch to prevent full process termination on panics. Relevant details are documented in free5GC GitHub issue #805 and security advisory GHSA-vq85-8f6p-g9q5.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7466
Vulnerability details
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics due to nil pointer dereference and the SMF process terminates. This is triggered…
more
by a malformed PFCP SessionReportRequest on the SMF PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote nil-pointer DoS on exposed PFCP UDP port directly matches exploitation of a public-facing application (T1190) that triggers application/system crash for endpoint denial of service (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Boundary protection enforces firewall/ACL restrictions on the PFCP UDP/8805 interface to trusted UPF IPs, preventing untrusted remote attackers from sending malformed SessionReportRequest messages.
Information input validation checks and rejects malformed PFCP SessionReportRequest messages before processing, directly mitigating the nil pointer dereference crash.
Denial-of-service protection limits the impact of repeated crafted packets targeting the SMF PFCP interface to cause process panics and service disruption.