What is the CVSS score of CVE-2026-41135?

CVE-2026-41135 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of free5GC PCF are affected by CVE-2026-41135?

free5GC Policy Control Function (PCF) versions before 1.4.3 are vulnerable to unauthenticated denial-of-service attacks that exhaust server memory through repeated HTTP requests, preventing all User…. A patch is available.

How to fix or mitigate CVE-2026-41135?

Within 24 hours: identify all free5GC PCF deployments and document current versions running in production and non-production environments. Within 7 days: upgrade all PCF instances to version 1.4.3 or later (per commit 599803b) and validate functionality in lab environment before production deployment. Within 30 days: implement network-level rate limiting on the OAM endpoint over the Service-Based Interface and enable request throttling to mitigate variant attack vectors.

free5GC PCF CVE-2026-41135

EUVD-2026-24575 HIGH

Uncontrolled Resource Consumption (CWE-400)

2026-04-22 security-advisories@github.com

GHSA-98cp-84m9-q3qp

Denial Of Service Free5gc Pcf

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch released

Apr 23, 2026 - 19:41 nvd

Patch available

Apr 22, 2026 - 21:02 EUVD

Re-analysis Queued

Apr 22, 2026 - 15:22 vuln.today

cvss_changed

Analysis Generated

Apr 22, 2026 - 00:58 vuln.today

EUVD ID Assigned

Apr 22, 2026 - 00:22 euvd

EUVD-2026-24575

Analysis Generated

Apr 22, 2026 - 00:22 vuln.today

CVE Published

Apr 22, 2026 - 00:16 nvd

HIGH 7.5

DescriptionGitHub Advisory

free5GC UDR is the Policy Control Function (PCF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. A memory leak vulnerability in versions prior to 1.4.3 allows any unauthenticated attacker with network access to the PCF SBI interface to cause uncontrolled memory growth by sending repeated HTTP requests to the OAM endpoint. The root cause is a router.Use() call inside an HTTP handler that registers a new CORS middleware on every incoming request, permanently growing the Gin router's handler chain. This leads to progressive memory exhaustion and eventual Denial of Service of the PCF, preventing all UEs from obtaining AM and SM policies and blocking 5G session establishment. Version 1.4.3 contains a patch.

AnalysisAI

Unauthenticated remote attackers can crash free5GC Policy Control Function (PCF) versions before 1.4.3 via repeated HTTP requests to the OAM endpoint over the Service-Based Interface. Each request leaks memory by registering duplicate CORS middleware in the Gin router handler chain, causing progressive memory exhaustion that prevents all User Equipment from establishing 5G sessions. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Access PCF SBI network

Delivery

Send repeated HTTP requests to OAM endpoint

Exploit

Trigger middleware registration in each handler

Execution

Exhaust process memory

Persist

Crash PCF service

Impact

Block all UE session establishment

Access

Access PCF SBI network

Delivery

Send repeated HTTP requests to OAM endpoint

Exploit

Trigger middleware registration in each handler

Execution

Exhaust process memory

Persist

Crash PCF service

Impact

Block all UE session establishment

Vulnerability AssessmentAI

Exploitation	Exploitation requires network-layer access to the free5GC Policy Control Function Service-Based Interface (SBI), specifically the OAM endpoint exposed over HTTP/HTTPS. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	This represents a critical operational risk for production 5G networks running vulnerable free5GC PCF instances. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker on a network with routing access to the free5GC PCF Service-Based Interface (common in research testbeds, inadequately segmented private 5G deployments, or cloud-hosted lab environments) identifies the PCF OAM endpoint through network scanning or documentation review. Using a simple script with standard HTTP libraries (curl in a bash loop, Python requests, or custom Go code), the attacker sends continuous HTTP requests to the OAM endpoint at a moderate rate. …
Remediation	Upgrade free5GC to version 1.4.3 or later, which includes the patch commit 599803b1b2eb4611e26d5216481ee142bce71a16 that relocates the `router.Use()` middleware registration outside the request handler to execute only once during application initialization. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all free5GC PCF deployments and document current versions running in production and non-production environments. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-41135 vulnerability details – vuln.today

Back

free5GC PCF CVE-2026-41135

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code