CVE-2026-25501
Published: 24 February 2026
Summary
CVE-2026-25501 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Free5Gc Smf. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote nil-pointer DoS on exposed PFCP UDP port directly matches exploitation of a public-facing application (T1190) that triggers application/system crash for endpoint denial of service (T1499.004).
NVD Description
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics due to nil pointer dereference and the SMF process terminates. This is triggered…
more
by a malformed PFCP SessionReportRequest on the SMF PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
Deeper analysisAI
CVE-2026-25501 is a denial-of-service vulnerability in the Session Management Function (SMF) component of free5GC, an open-source implementation of 5G mobile core networks. Affecting versions up to and including 1.4.1, the issue stems from a nil pointer dereference (CWE-476) that causes the SMF process to panic and terminate. The flaw is triggered by receiving a malformed PFCP SessionReportRequest message over the SMF's PFCP interface on UDP port 8805.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is network-accessible with low attack complexity, requiring no privileges or user interaction, and results in high availability impact without affecting confidentiality or integrity. Any remote attacker able to reach the PFCP interface can exploit this by sending a crafted packet, causing repeated crashes of the SMF process and disrupting 5G session management services.
Advisories note no upstream fix is available as of publication. Recommended workarounds include firewalling or ACLs on the PFCP interface to restrict access to trusted User Plane Function (UPF) IP addresses, thereby reducing spoofing risks; inspecting or dropping malformed PFCP SessionReportRequest messages at the network edge if feasible; or implementing Go's recover() mechanism around the PFCP handler dispatch to prevent full process termination on panics. Relevant details are documented in free5GC GitHub issue #805 and security advisory GHSA-vq85-8f6p-g9q5.
Details
- CWE(s)