CVE-2026-26025 in Free5GC
Summary
by MITRE • 02/24/2026
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/24/2026
The CVE-2026-26025 vulnerability affects the free5GC SMF (Session Management Function) component within the 5G mobile core network infrastructure. This open-source implementation provides critical session management capabilities for 5G networks, handling the complex interactions between user equipment and the core network through the PFCP (PDU Session Control Protocol) interface. The vulnerability specifically targets the processing of PFCP SessionReportRequest messages on the UDP/8805 port, representing a fundamental flaw in the protocol handling mechanism that could lead to complete service disruption.
The technical flaw manifests as a panic condition within the SMF process when it encounters malformed PFCP SessionReportRequest messages. This panic results in immediate termination of the entire SMF process rather than graceful error handling or message rejection. The vulnerability stems from inadequate input validation and error handling within the PFCP protocol processing code, creating a denial of service scenario where legitimate network operations cease entirely. This behavior aligns with CWE-248, which addresses "Uncaught Exception" conditions in software implementations, and represents a classic example of improper error handling in network protocol stacks.
The operational impact of this vulnerability is severe for 5G network operators relying on free5GC implementations, as it can cause complete disruption of session management services across the entire network. When the SMF process terminates, all active PDU sessions managed by that instance become unavailable, potentially affecting thousands of connected devices simultaneously. The vulnerability creates an attack surface where malicious actors or compromised network elements could exploit this weakness to cause widespread service degradation or complete network outages, particularly in environments where network segmentation is insufficient. This represents a significant concern for network reliability and availability in mission-critical 5G deployments.
Mitigation strategies for CVE-2026-26025 focus on network-level protections and application-level safeguards. Network administrators should implement strict access controls on the PFCP interface using ACLs or firewalls to restrict communication to only trusted UPF (User Plane Function) IP addresses, effectively reducing the attack surface and preventing unauthorized access to the SMF. Edge network inspection capabilities should be deployed to identify and drop malformed PFCP SessionReportRequest messages before they reach the SMF process. Additionally, application-level mitigations include implementing recover() mechanisms around the PFCP handler dispatch functions to prevent process-wide crashes, though this approach only provides partial protection and does not address the root cause. The vulnerability's characteristics align with ATT&CK technique T1499.004, which covers "Endpoint Denial of Service," and represents a critical weakness in network infrastructure that requires immediate attention from security operations teams.