Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Missing Values (CWE-230) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops.
AnalysisAI
Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows adjacent network attackers to degrade service availability by continuously transmitting specially crafted messages that trigger improper handling of missing values (CWE-230). The affected PCG nodes crash repeatedly under sustained attack but self-recover once traffic stops, so impact is transient yet operationally significant for mobile core networks. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Technical ContextAI
Packet Core Gateway is Ericsson's cloud-native 5G Core network function combining SMF and UPF roles, handling session management and user-plane forwarding for mobile subscribers. The root cause is CWE-230 (Improper Handling of Missing Values), meaning a protocol message parser fails to validate that expected fields are present before dereferencing or processing them, causing the handling process to crash. Because PCG terminates signaling and user-plane traffic from adjacent network elements (gNodeBs, AMFs, peer UPFs over N4/N3/N6 interfaces), a malformed message reaching the relevant parser is enough to disrupt subscriber sessions traversing that node. The CPE 'cpe:2.3:a:ericsson:packet_core_gateway_(pcg):*' covers all versions below the fixed 1.30 release.
RemediationAI
Upgrade Ericsson Packet Core Gateway to version 1.30 or later, which is the vendor-released patch that resolves CVE-2026-25658 per the Ericsson PSIRT advisory at https://www.ericsson.com/en/about-us/security/psirt/cve-2026-25658. Where an immediate upgrade window is unavailable, operators should restrict adjacent-network reachability to the PCG by tightening ACLs on N2/N4/N3/Sx interfaces so that only authenticated peer NFs (AMF, SMF, gNodeB, peer UPFs) can send signaling, deploy signaling-firewall or GTP/PFCP inspection to drop malformed messages before they reach the gateway, and enable rate-limiting and anomaly alerting on the affected interfaces; these controls reduce exposure but can add latency and may block legitimate traffic from misconfigured peers, so they should be staged with monitoring. Ensure HA/redundancy and automatic process restart are configured so that the documented self-recovery behavior minimizes user-visible outage during any attempted exploitation.
Directory traversal vulnerability in the Instance Monitor in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5
The Ericsson-LG iPECS NMS A.1Ac login portal has a SQL injection vulnerability in the User ID and password fields that a
The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access control mechanisms. Rated critical severity (CVSS
In Ericsson Network Location before 2021-07-31, it is possible for an authenticated attacker to inject commands via file
The Ericsson-LG iPECS NMS A.1Ac web application discloses sensitive information such as the NMS admin credentials and th
In Ericsson ECM before 18.0, it was observed that Security Provider Endpoint in the User Profile Management Section is v
Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=../ URIs. Rated high severity (CVSS
XSS exists in Ericsson Active Library Explorer (ALEX) 14.3 in multiple parameters in the "/cgi-bin/alexserv" servlet, as
Open redirect vulnerability in the 3PI Manager in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 all
In Ericsson ECM before 18.0, it was observed that Security Management Endpoint in User Profile Management Section is vul
In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS v
In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via
Same weakness CWE-230 – Improper Handling of Missing Values
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34822
GHSA-5p28-qfxx-wqm8