How to fix CVE-2025-69247?

Within 24 hours: Identify all systems running free5GC go-upf versions prior to 1.2.8 and assess their criticality to production 5G services. Within 7 days: Apply vendor patch to version 1.2.8 or later in a controlled testing environment and validate functionality. Within 30 days: Complete patching of all production UPF instances with change management protocols and monitor for stability post-deployment.

Is Heap Overflow affected by CVE-2025-69247?

A heap-based buffer overflow vulnerability in free5GC go-upf (versions prior to 1.2.8) could allow attackers to crash 5G User Plane Function services, disrupting network connectivity for mobile subscribers.

CVE-2025-69247

HIGH

2026-02-23 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 25, 2026 - 16:21 vuln.today

Public exploit code

Patch Released

Feb 25, 2026 - 16:21 nvd

Patch available

CVE Published

Feb 23, 2026 - 22:16 nvd

HIGH 7.5

Description

free5GC go-upf is the User Plane Function (UPF) implementation for 5G networks that is part of the free5GC project. Versions prior to 1.2.8 have a Heap-based Buffer Overflow (CWE-122) vulnerability leading to Denial of Service. Remote attackers can crash the UPF network element by sending a specially crafted PFCP Session Modification Request with an invalid SDF Filter length field. This causes a heap buffer overflow, resulting in complete service disruption for all connected UEs and potential cascading failures affecting the SMF. All deployments of free5GC using the UPF component may be affected. Version 1.2.8 of go-upf contains a fix.

Analysis

Technical Context

Classified as CWE-122 (Heap-based Buffer Overflow). Affects the complete component of Go-Upf. free5GC go-upf is the User Plane Function (UPF) implementation for 5G networks that is part of the free5GC project. Versions prior to 1.2.8 have a Heap-based Buffer Overflow (CWE-122) vulnerability leading to Denial of Service. Remote attackers can crash the UPF network element by sending a specially crafted PFCP Session Modification Request with an invalid SDF Filter length field. This causes a heap buffer overflow, resulting in complete service disruption for all connected UEs and potential ca

Affected Products

Vendor: Free5Gc. Product: Go-Upf. Versions: up to 1.2.8. Component: complete.

Remediation

A vendor patch is available — apply it immediately. Enable ASLR, DEP/NX, and stack canaries where possible. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +38

POC: +20

CVE-2025-69247 vulnerability details – vuln.today

Back

CVE-2025-69247

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-69247

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code