CVE-2026-25501

free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics due to nil pointer dereference and the SMF process terminates. This is triggered by a malformed PFCP SessionReportRequest on the SMF PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/free5gc/free5gc/issues/805	Exploit Issue Tracking Vendor Advisory
https://github.com/free5gc/free5gc/security/advisories/GHSA-vq85-8f6p-g9q5	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:free5gc:smf:*:*:*:*:*:go:*:*

History

No history.

Information

Published : 2026-02-24 01:16

Updated : 2026-02-25 16:26

NVD link : CVE-2026-25501

Mitre link : CVE-2026-25501

CVE.ORG link : CVE-2026-25501

JSON object : View

Products Affected

free5gc

smf

CWE

CWE-476

NULL Pointer Dereference

{"id": "CVE-2026-25501", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-24T01:16:12.927", "references": [{"url": "https://github.com/free5gc/free5gc/issues/805", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-vq85-8f6p-g9q5", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics due to nil pointer dereference and the SMF process terminates. This is triggered by a malformed PFCP SessionReportRequest on the SMF PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only)."}, {"lang": "es", "value": "free5GC SMF proporciona la Funci\u00f3n de Gesti\u00f3n de Sesiones para free5GC, un proyecto de c\u00f3digo abierto para redes centrales m\u00f3viles de quinta generaci\u00f3n (5G). En versiones hasta la 1.4.1 inclusive, el SMF entra en p\u00e1nico debido a una desreferenciaci\u00f3n de puntero nulo y el proceso SMF finaliza. Esto se desencadena por una solicitud PFCP SessionReportRequest malformada en la interfaz PFCP (UDP/8805) del SMF. No hay una soluci\u00f3n ascendente conocida disponible, pero s\u00ed algunas soluciones alternativas. Aplique ACL/cortafuegos a la interfaz PFCP para que solo las IP de UPF de confianza puedan alcanzar el SMF (reduce la superficie de suplantaci\u00f3n/abuso); descarte/inspeccione los mensajes PFCP SessionReportRequest malformados en el borde de la red donde sea factible, y/o a\u00f1ada recover() alrededor del despacho del gestor PFCP para evitar la terminaci\u00f3n de todo el proceso (solo mitigaci\u00f3n)."}], "lastModified": "2026-02-25T16:26:40.507", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:free5gc:smf:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "D77A49EF-55CF-4F12-AAA2-2383C47AB810", "versionEndIncluding": "1.4.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}