Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.6
free5GC SMF crashes when receiving malicious data
CVE-2026-25501
Summary
A security issue in free5GC's Session Management Function (SMF) can cause the system to crash if it receives a specially crafted message. This could allow an attacker to disrupt the 5G network. To mitigate the risk, consider blocking the PFCP interface at the network edge or implementing additional security measures to prevent malicious messages from being processed.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| free5gc | smf | <= 1.4.1 | – |
Original title
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics due to nil point...
Original description
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics due to nil pointer dereference and the SMF process terminates. This is triggered by a malformed PFCP SessionReportRequest on the SMF PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
nvd CVSS3.1
7.5
nvd CVSS4.0
6.6
Vulnerability type
CWE-476
NULL Pointer Dereference
- https://github.com/free5gc/free5gc/issues/805 Exploit Issue Tracking Vendor Advisory
- https://github.com/free5gc/free5gc/security/advisories/GHSA-vq85-8f6p-g9q5 Vendor Advisory
Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026