CVE-2026-26025
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Tags
Description
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
Analysis
free5GC SMF versions up to 1.4.1 crash when receiving malformed PFCP SessionReportRequest packets on UDP port 8805, allowing unauthenticated remote attackers to cause denial of service. Public exploit code exists for this vulnerability, and no official patch is currently available, requiring organizations to implement network-level mitigations such as ACL restrictions or PFCP message inspection.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: identify all systems running free5GC SMF versions 1.4.1 or earlier and isolate them from untrusted networks if possible. Within 7 days: implement network segmentation to restrict access to the PFCP interface (UDP/8805) to trusted UPF (User Plane Function) nodes only, and establish monitoring for abnormal PFCP traffic patterns. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today