CVE-2026-26025
Published: 24 February 2026
Summary
CVE-2026-26025 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Free5Gc Smf. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The NULL pointer dereference in the SMF PFCP handler allows any remote attacker with network access to UDP/8805 to crash the process with a single malformed SessionReportRequest packet, directly enabling Endpoint Denial of Service via Application or System Exploitation (T1499.004).
NVD Description
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface.…
more
No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
Deeper analysisAI
CVE-2026-26025 affects the Session Management Function (SMF) component of free5GC, an open-source implementation of 5G mobile core network functions. In versions up to and including 1.4.1, the SMF panics and terminates when processing a malformed PFCP SessionReportRequest message received over the PFCP interface on UDP port 8805. This vulnerability, classified under CWE-476 (NULL Pointer Dereference), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high-impact denial of service.
Any unauthenticated attacker with network access to the PFCP interface can exploit this by sending a specially crafted, malformed PFCP SessionReportRequest packet, causing the SMF process to crash immediately. This results in a denial-of-service condition, disrupting session management services in the 5G core network until the SMF is restarted. No privileges, user interaction, or complex setup are required, making it accessible to remote attackers who can reach the UDP/8805 endpoint.
Advisories from the free5GC GitHub repository indicate no upstream patch is available as of publication. Recommended mitigations include firewalling or ACLs on the PFCP interface to restrict access to trusted User Plane Function (UPF) IP addresses, thereby reducing spoofing risks; inspecting or dropping malformed PFCP SessionReportRequest messages at the network edge if feasible; and implementing Go's recover() mechanism around the PFCP handler dispatch to prevent full process termination on panic.
Details
- CWE(s)