CVE-2026-26024 in Free5GC
Summary
by MITRE • 02/24/2026
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/24/2026
The CVE-2026-26024 vulnerability affects the free5GC SMF (Session Management Function) component within the 5G mobile core network infrastructure. This open-source implementation provides critical session management capabilities for 5G networks, handling the complex signaling required for user plane connectivity and session control. The vulnerability specifically targets the PFCP (Proxy Function Control Protocol) interface operating on UDP port 8805, which serves as the primary communication channel between the SMF and UPF (User Plane Function) components in the 5G core network architecture. The SMF's failure to properly validate incoming PFCP messages creates a fundamental security weakness that can be exploited to cause denial of service conditions.
The technical flaw manifests when the SMF processes a malformed PFCP SessionReportRequest message, causing the application to panic and terminate unexpectedly. This represents a classic buffer overflow or improper input validation vulnerability that falls under CWE-248, where an exception or error condition leads to program termination. The panic condition occurs at the PFCP handler dispatch level, indicating that the system lacks proper error handling mechanisms to gracefully process malformed inputs. The vulnerability is particularly concerning because it affects the core session management functionality, potentially disrupting all active user sessions and network connectivity for subscribers.
The operational impact of this vulnerability extends beyond simple service disruption, as it can be exploited to create widespread network instability within 5G core deployments using free5GC. Network operators relying on this open-source implementation face the risk of complete SMF service outages, which would cascade into user plane connectivity failures and potentially affect multiple subscribers simultaneously. The vulnerability's exploitation requires minimal network access to send malformed PFCP messages to the UDP/8805 interface, making it particularly dangerous in environments where network segmentation is insufficient. This aligns with ATT&CK technique T1499.004, where adversaries target network infrastructure to cause service disruption through resource exhaustion or application crashes.
Mitigation strategies for this vulnerability focus on network-level protections and application-level hardening measures. Network administrators should implement strict access controls by ACLing the PFCP interface to permit communication only from trusted UPF IP addresses, effectively reducing the attack surface and preventing unauthorized access to the SMF. Edge network inspection capabilities can be leveraged to detect and drop malformed PFCP SessionReportRequest messages before they reach the SMF, providing an additional layer of defense. The application-level mitigation involves adding recover() mechanisms around PFCP handler dispatch functions to prevent complete process termination when malformed messages are encountered, though this approach provides only partial protection. Organizations should also consider implementing monitoring and alerting for SMF process crashes and network anomalies that may indicate exploitation attempts. The vulnerability highlights the importance of proper error handling and input validation in network infrastructure components, particularly those handling critical control plane signaling in 5G networks where reliability and availability are paramount for maintaining service continuity and user experience.