CVE-2026-26025
Published: 24 February 2026
Summary
CVE-2026-26025 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Free5Gc Smf. Its CVSS base score is 6.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 25.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-26025 affects the Session Management Function (SMF) component of free5GC, an open-source implementation of 5G mobile core network functions. In versions up to and including 1.4.1, the SMF panics and terminates when processing a malformed PFCP SessionReportRequest message received over the PFCP interface on UDP port 8805. This vulnerability, classified under CWE-476 (NULL Pointer Dereference), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high-impact denial of service.
Any unauthenticated attacker with network access to the PFCP interface can exploit this by sending a specially crafted, malformed PFCP SessionReportRequest packet, causing the SMF process to crash immediately. This results in a denial-of-service condition, disrupting session management services in the 5G core network until the SMF is restarted. No privileges, user interaction, or complex setup are required, making it accessible to remote attackers who can reach the UDP/8805 endpoint.
Advisories from the free5GC GitHub repository indicate no upstream patch is available as of publication. Recommended mitigations include firewalling or ACLs on the PFCP interface to restrict access to trusted User Plane Function (UPF) IP addresses, thereby reducing spoofing risks; inspecting or dropping malformed PFCP SessionReportRequest messages at the network edge if feasible; and implementing Go's recover() mechanism around the PFCP handler dispatch to prevent full process termination on panic.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7464
Vulnerability details
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface.…
more
No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The NULL pointer dereference in the SMF PFCP handler allows any remote attacker with network access to UDP/8805 to crash the process with a single malformed SessionReportRequest packet, directly enabling Endpoint Denial of Service via Application or System Exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Boundary protection enforces network-level restrictions like ACLs or firewalls to limit PFCP interface access to trusted UPF IPs, preventing unauthenticated remote attackers from reaching the vulnerable UDP/8805 endpoint.
Information input validation detects and rejects malformed PFCP SessionReportRequest messages before processing, directly mitigating the NULL pointer dereference crash.
Error handling implements mechanisms like recover() around PFCP handlers to contain panics and prevent full SMF process termination on malformed inputs.