CVE-2025-66720 in Free5GC
Summary
by MITRE • 01/23/2026
Null pointer dereference in free5gc pcf 1.4.0 in file internal/sbi/processor/ampolicy.go in function HandleDeletePoliciesPolAssoId.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/12/2026
The vulnerability identified as CVE-2025-66720 represents a critical null pointer dereference flaw within the free5gc pcf component version 1.4.0. This issue specifically manifests in the internal/sbi/processor/ampolicy.go file at the HandleDeletePoliciesPolAssoId function, where improper input validation leads to a potential system crash or denial of service condition. The free5gc project is a popular open-source implementation of 5g core network functions that serves as the foundation for various 5g network deployments worldwide. The pcf component, which stands for Policy Control Function, plays a crucial role in managing policy decisions and control mechanisms within the 5g architecture. When this particular function processes requests without adequate null pointer checks, it creates an exploitable condition that can be leveraged by malicious actors to disrupt service availability.
The technical nature of this vulnerability stems from a classic programming error where the software fails to validate whether a pointer reference is null before attempting to dereference it. In the context of the HandleDeletePoliciesPolAssoId function, the code likely processes policy association identifiers and attempts to access associated data structures without first verifying that these structures have been properly initialized. This flaw aligns with CWE-476, which specifically addresses null pointer dereference conditions in software implementations. The vulnerability operates at the application layer within the service-based interface (SBI) processing components of the 5g core network, making it particularly dangerous as it can be triggered through legitimate service interactions. Attackers can exploit this by sending specially crafted delete policy requests that cause the system to attempt operations on uninitialized memory references, potentially leading to process termination or system instability.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise the integrity of 5g network operations. In a production environment, this null pointer dereference could result in complete service outages for policy control functions, affecting network slicing, QoS management, and overall 5g connectivity for connected devices. The affected system may experience unexpected crashes, requiring manual intervention for restart procedures and potentially leading to cascading failures within the broader 5g network infrastructure. Organizations relying on free5gc implementations for their 5g deployments face significant risks, as this vulnerability can be exploited remotely through the SBI interface without requiring authentication. The ATT&CK framework categorizes this type of vulnerability under the T1210 technique for exploitation of remote services, where attackers leverage application-level flaws to achieve system compromise. Network operators using this software version are particularly vulnerable as the flaw exists in core policy control functionality that governs critical network operations.
Mitigation strategies for CVE-2025-66720 should prioritize immediate software updates to versions that have addressed this null pointer dereference issue. Organizations must implement comprehensive network monitoring to detect anomalous behavior patterns that might indicate exploitation attempts. The recommended approach includes deploying input validation controls at the SBI interface level to filter malformed policy deletion requests before they reach the vulnerable function. Security teams should also establish automated alerting mechanisms for system crash events or unusual process restarts that could indicate exploitation of this vulnerability. Additionally, network segmentation strategies should be implemented to isolate critical policy control functions from less secure network zones. The fix should include proper null pointer checks within the HandleDeletePoliciesPolAssoId function to ensure all referenced pointers are validated before dereferencing operations. Organizations should also consider implementing network access controls that limit exposure of the SBI interfaces to trusted network segments only, reducing the attack surface for potential exploitation. Regular security assessments and code reviews focusing on memory management practices should be conducted to prevent similar issues in other components of the 5g infrastructure stack.