Cyber Resilience

CVE-2026-26024

MediumPublic PoC

Published: 24 February 2026

Published
24 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 6.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0009 25.1th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26024 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Free5Gc Smf. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 25.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-26024 affects the Session Management Function (SMF) component of free5GC, an open-source implementation of 5G mobile core networks. In versions up to and including 1.4.1, the SMF panics and terminates when processing a malformed PFCP SessionReportRequest message received over the PFCP interface on UDP port 8805. This vulnerability, classified under CWE-476 (NULL Pointer Dereference), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high-impact denial of service.

Any unauthenticated attacker with network access to the PFCP interface can exploit this by sending a specially crafted, malformed PFCP SessionReportRequest packet, causing the SMF process to crash immediately. Successful exploitation results in a denial of service, disrupting session management for 5G user equipment and potentially affecting broader core network operations until the SMF restarts. No privileges, user interaction, or complex setup are required, making it accessible to remote attackers who can reach the exposed UDP/8805 endpoint.

Advisories note no upstream patch is available as of publication on 2026-02-24. Recommended mitigations include firewalling or ACLs on the PFCP interface to restrict access to trusted User Plane Function (UPF) IP addresses, thereby reducing spoofing risks; inspecting or dropping malformed PFCP SessionReportRequest messages at the network perimeter; or implementing Go's recover() mechanism around the PFCP handler dispatch to prevent full process termination on panic. See GitHub issue #807 and advisory GHSA-mrv4-m9wc-c4g9 for details.

EU & UK References

Vulnerability details

free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface.…

more

No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes remote unauthenticated exploitation of a NULL pointer dereference (via malformed PFCP packet) that directly crashes the SMF process, matching application/system exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26025Same product: Free5Gc Smf
CVE-2026-25501Same product: Free5Gc Smf
CVE-2025-69252Same vendor: Free5Gc
CVE-2025-66720Same vendor: Free5Gc
CVE-2026-33063Same vendor: Free5Gc
CVE-2026-1973Same vendor: Free5Gc
CVE-2026-1976Same vendor: Free5Gc
CVE-2026-44322Same vendor: Free5Gc
CVE-2025-69232Same product: Free5Gc Smf
CVE-2026-41135Same vendor: Free5Gc

Affected Assets

free5gc
smf
≤ 1.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces boundary protection via firewalls or ACLs to restrict PFCP interface (UDP/8805) access to only trusted UPF IP addresses, preventing unauthenticated attackers from sending malformed SessionReportRequest messages.

prevent

Requires validation of incoming PFCP SessionReportRequest messages at the network edge or application layer to detect and drop malformed packets, avoiding the NULL pointer dereference crash.

prevent

Implements robust error handling, such as Go recover() around PFCP handler dispatch, to catch panics from malformed inputs and prevent full SMF process termination.

References