CVE-2025-69247 in Free5GC
Summary
by MITRE • 02/24/2026
free5GC go-upf is the User Plane Function (UPF) implementation for 5G networks that is part of the free5GC project. Versions prior to 1.2.8 have a Heap-based Buffer Overflow (CWE-122) vulnerability leading to Denial of Service. Remote attackers can crash the UPF network element by sending a specially crafted PFCP Session Modification Request with an invalid SDF Filter length field. This causes a heap buffer overflow, resulting in complete service disruption for all connected UEs and potential cascading failures affecting the SMF. All deployments of free5GC using the UPF component may be affected. Version 1.2.8 of go-upf contains a fix.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/24/2026
The CVE-2025-69247 vulnerability affects the free5GC go-upf implementation which serves as the User Plane Function component within 5G networks. This critical flaw manifests as a heap-based buffer overflow (CWE-122) that specifically targets the PFCP Session Modification Request processing functionality. The vulnerability exists in versions prior to 1.2.8 and represents a significant threat to 5G network stability and availability. The flaw is particularly concerning because it allows remote attackers to execute a denial of service attack against the UPF network element through carefully crafted malicious packets.
The technical exploitation occurs when a remote attacker sends a PFCP Session Modification Request containing an invalid SDF Filter length field. This malformed field triggers the heap buffer overflow condition within the UPF implementation, causing memory corruption that results in immediate process termination. The vulnerability stems from inadequate input validation and bounds checking during the processing of PFCP protocol messages, specifically when handling the SDF (Service Data Flow) filter length parameter. The attacker does not require any authentication or privileged access to exploit this vulnerability, making it particularly dangerous in production environments where network elements are exposed to external traffic.
The operational impact of this vulnerability extends beyond simple service disruption to potentially cause cascading failures throughout the 5G network infrastructure. When the UPF crashes due to the buffer overflow, all User Equipment connections managed by that UPF are immediately severed, leading to complete service interruption for connected users. The disruption affects not only individual user sessions but can also impact the broader network by causing failures in the SMF (Session Management Function) that relies on UPF availability for proper session management. This creates a domino effect where network reliability is compromised across multiple network functions, potentially affecting hundreds or thousands of concurrent users depending on the network deployment size.
Organizations using free5GC implementations with the UPF component should immediately prioritize upgrading to version 1.2.8 or later to remediate this vulnerability. The fix implemented in version 1.2.8 addresses the root cause by adding proper input validation and bounds checking for the SDF Filter length field in PFCP Session Modification Requests. Network administrators should also implement monitoring solutions to detect anomalous PFCP traffic patterns that might indicate attempted exploitation of this vulnerability. Additionally, defensive measures such as network segmentation and access controls can provide additional protection layers while the upgrade is being deployed. This vulnerability aligns with ATT&CK technique T1499.004 for network denial of service attacks and represents a critical weakness in 5G network infrastructure security that requires immediate attention to prevent widespread service disruption.