CVE-2026-25501 in Free5GC
Summary
by MITRE • 02/24/2026
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics due to nil pointer dereference and the SMF process terminates. This is triggered by a malformed PFCP SessionReportRequest on the SMF PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/24/2026
The CVE-2026-25501 vulnerability affects the free5GC SMF (Session Management Function) component within the 5G mobile core network infrastructure. This open-source implementation provides critical session management capabilities for 5G networks, making it a foundational element in modern telecommunications infrastructure. The vulnerability manifests as a nil pointer dereference condition that causes the SMF process to crash and terminate unexpectedly. The flaw specifically occurs when the SMF receives a malformed PFCP (Proxy CoAP Protocol) SessionReportRequest message on its PFCP interface, which operates over UDP port 8805. This represents a significant security concern as it directly impacts the availability and stability of 5G core network services.
The technical exploitation of this vulnerability involves sending specially crafted PFCP SessionReportRequest messages that contain malformed data structures, causing the SMF application to attempt to dereference a null pointer during message processing. This type of error typically occurs when the application fails to properly validate incoming PFCP messages or handle edge cases in the protocol parsing logic. The vulnerability maps to CWE-476, which specifically addresses null pointer dereference conditions in software implementations. The panic condition results in complete process termination rather than graceful error handling, which is particularly problematic in telecommunications infrastructure where service availability is paramount. The attack vector is remote and requires only network access to the SMF's PFCP interface, making it highly exploitable within network environments.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise the entire 5G core network session management functionality. When the SMF process terminates, all active session management operations cease, leading to service degradation or complete loss of connectivity for 5G subscribers under that SMF's management. This vulnerability directly aligns with ATT&CK technique T1499.004, which covers network denial of service attacks targeting infrastructure components. The termination of the SMF process creates cascading effects throughout the 5G network, as other components must handle session management failures and potentially re-establish connections. Network operators face significant operational challenges including service interruptions, customer dissatisfaction, and potential regulatory compliance issues when such critical infrastructure components fail due to unhandled exceptions.
The mitigation strategies for CVE-2026-25501 focus on network-level protections and application-level defenses. Network access control lists and firewall rules should be implemented to restrict access to the PFCP interface, allowing only trusted UPF (User Plane Function) IP addresses to communicate with the SMF. This approach reduces the attack surface and prevents unauthorized entities from exploiting the vulnerability. Network edge devices can be configured to inspect and drop malformed PFCP SessionReportRequest messages before they reach the SMF, providing an additional layer of protection. Application-level mitigations include implementing recover() mechanisms or exception handlers around the PFCP message dispatch code to prevent the entire process from terminating due to a single malformed message. These defensive measures align with security best practices for building resilient network infrastructure and represent a combination of network security controls and application security hardening techniques. The lack of an upstream fix emphasizes the need for immediate implementation of these workarounds to maintain network stability and service availability.