Free5gc

Improper error handling in free5GC AMF prior to version 1.4.3 allows remote attackers to invoke the HTTPUEContextTransfer handler with uninitialized request objects by sending requests with unsupported Content-Type headers. The missing default case in the Content-Type switch statement silently skips deserialization without raising an error, resulting in integrity loss when malformed or crafted payloads reach the processor with null/uninitialized state. CVSS score of 5.5 reflects low integrity impact; publicly available exploit code exists (E:P).

Unauthenticated remote attackers can crash free5GC Policy Control Function (PCF) versions before 1.4.3 via repeated HTTP requests to the OAM endpoint over the Service-Based Interface. Each request leaks memory by registering duplicate CORS middleware in the Gin router handler chain, causing progressive memory exhaustion that prevents all User Equipment from establishing 5G sessions. Patched in version 1.4.3 via commit 599803b. EPSS data unavailable; not listed in CISA KEV. CVSS 7.5 High severity reflects network-accessible unauthenticated attack with high availability impact.

Denial of service in Free5GC 4.2.0 NGSetupRequest Handler allows unauthenticated remote attackers to crash the AMF (Access and Mobility Management Function) component via malformed requests. The vulnerability has a publicly available exploit and a vendor-released patch, with EPSS score of 5.3 indicating moderate but real exploitation risk despite low CVSS scoring.

Type confusion in Free5GC 4.2.0's aper component allows remote attackers to trigger memory corruption and information disclosure with high attack complexity and without authentication. The vulnerability stems from improper type handling in ASN.1 parsing and has publicly available exploit code, though active exploitation at scale has not been confirmed. CVSS 6.3 with availability impact and exploit proof-of-concept disclosure warrant timely patching.

Free5GC 4.1.0's AMF component is susceptible to a denial of service attack in the HandleRegistrationComplete function that can be exploited remotely without authentication. An attacker can manipulate the registration process to crash or disable the affected service. A patch is available and should be applied to restore normal operation.

Free5GC versions up to 4.1.0 are vulnerable to denial of service attacks targeting the PFCP UDP Endpoint component, which can be exploited remotely without authentication. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected deployments at risk of service disruption.

An improper input validation and protocol compliance vulnerability in free5GC v4.0.1 allows remote attackers to cause a denial of service. The UPF incorrectly accepts a malformed PFCP Association Setup Request, violating 3GPP TS 29.244. [CVSS 7.5 HIGH]

A heap buffer overflow vulnerability in the UPF component of free5GC v4.0.1 allows remote attackers to cause a denial of service via a crafted PFCP Session Modification Request. [CVSS 7.5 HIGH]

An array index out of bounds vulnerability in the AMF component of free5GC v4.0.1 allows remote attackers to cause a denial of service via a crafted 5GS Mobile Identity in a NAS Registration Request message. [CVSS 7.5 HIGH]

Free5GC versions up to 4.1.0 are vulnerable to a null pointer dereference in the SMF component's SessionDeletionResponse function, allowing unauthenticated remote attackers to cause denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.

Free5GC versions up to 4.1.0 contain a null pointer dereference vulnerability in the identityTriggerType function of pfcp_reports.go that allows remote attackers to cause denial of service without authentication. Public exploit code exists for this vulnerability, and no patch is currently available.

Free5GC versions up to 4.1.0 contain a denial of service vulnerability in the SMF component's ResolveNodeIdToIp function that can be exploited remotely without authentication. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected 5G network infrastructure at risk of service disruption.

Free5GC versions up to 4.1.0 contain a null pointer dereference in the SMF's establishPfcpSession function that can be triggered remotely without authentication, causing a denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.

Denial of service in Free5GC SMF versions up to 4.1.0 allows unauthenticated remote attackers to crash the PFCP UDP endpoint via improper handling of reports in the HandleReports function. Public exploit code exists for this vulnerability, and no patch is currently available. Organizations running affected Free5GC deployments should implement network-level mitigations to restrict PFCP endpoint access.

Remote attackers can trigger a denial of service condition in Free5GC SMF versions up to 4.1.0 through crafted PFCP session report requests to the HandlePfcpSessionReportRequest function. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected deployments vulnerable to service disruption attacks.

Free5GC SMF versions up to 4.1.0 contain a null pointer dereference in the PFCP UDP endpoint handler that can be triggered remotely without authentication, leading to denial of service. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker can crash the session management function by sending specially crafted PFCP association release requests.

An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Nnssf_NSSAIAvailability API. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Npcf_BDTPolicyControl API. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

free5gc v4.1.0 and before is vulnerable to Buffer Overflow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Free5gc 4.0.1 is vulnerable to Buffer Overflow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow vulnerability in Free5gc v.4.0.0 allows a remote attacker to cause a denial of service via the AMF, NGAP, security.go, handler_generated.go, handleInitialUEMessageMain,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.