CVE-2026-26024
Published: 24 February 2026
Summary
CVE-2026-26024 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Free5Gc Smf. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes remote unauthenticated exploitation of a NULL pointer dereference (via malformed PFCP packet) that directly crashes the SMF process, matching application/system exploitation for endpoint denial of service.
NVD Description
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface.…
more
No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
Deeper analysisAI
CVE-2026-26024 affects the Session Management Function (SMF) component of free5GC, an open-source implementation of 5G mobile core networks. In versions up to and including 1.4.1, the SMF panics and terminates when processing a malformed PFCP SessionReportRequest message received over the PFCP interface on UDP port 8805. This vulnerability, classified under CWE-476 (NULL Pointer Dereference), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high-impact denial of service.
Any unauthenticated attacker with network access to the PFCP interface can exploit this by sending a specially crafted, malformed PFCP SessionReportRequest packet, causing the SMF process to crash immediately. Successful exploitation results in a denial of service, disrupting session management for 5G user equipment and potentially affecting broader core network operations until the SMF restarts. No privileges, user interaction, or complex setup are required, making it accessible to remote attackers who can reach the exposed UDP/8805 endpoint.
Advisories note no upstream patch is available as of publication on 2026-02-24. Recommended mitigations include firewalling or ACLs on the PFCP interface to restrict access to trusted User Plane Function (UPF) IP addresses, thereby reducing spoofing risks; inspecting or dropping malformed PFCP SessionReportRequest messages at the network perimeter; or implementing Go's recover() mechanism around the PFCP handler dispatch to prevent full process termination on panic. See GitHub issue #807 and advisory GHSA-mrv4-m9wc-c4g9 for details.
Details
- CWE(s)