Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.6
free5GC SMF Crashes When Processing Bad Network Messages
CVE-2026-26025
Summary
A flaw in free5GC's Session Management Function (SMF) causes it to crash when receiving a corrupted message. This can allow attackers to disrupt the network. To protect yourself, consider blocking the PFCP interface to only allow trusted IP addresses and possibly filtering out bad messages at the network edge or implementing a workaround to prevent the SMF from crashing.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| free5gc | smf | <= 1.4.1 | – |
Original title
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates w...
Original description
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
nvd CVSS3.1
7.5
nvd CVSS4.0
6.6
Vulnerability type
CWE-476
NULL Pointer Dereference
- https://github.com/free5gc/free5gc/issues/807 Exploit Issue Tracking
- https://github.com/free5gc/free5gc/security/advisories/GHSA-vw8r-p7h3-g3xh Vendor Advisory
Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026