{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1682", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-01-30T07:35:31.971Z", "datePublished": "2026-01-30T14:02:07.468Z", "dateUpdated": "2026-02-23T09:08:18.220Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:08:18.220Z"}, "title": "Free5GC SMF PFCP UDP Endpoint handler.go HandlePfcpAssociationReleaseRequest null pointer dereference", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-476", "lang": "en", "description": "NULL Pointer Dereference"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-404", "lang": "en", "description": "Denial of Service"}]}], "affected": [{"vendor": "Free5GC", "product": "SMF", "versions": [{"version": "4.0", "status": "affected"}, {"version": "4.1.0", "status": "affected"}], "modules": ["PFCP UDP Endpoint"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in Free5GC SMF up to 4.1.0. Affected is the function HandlePfcpAssociationReleaseRequest of the file internal/pfcp/handler/handler.go of the component PFCP UDP Endpoint. Executing a manipulation can lead to null pointer dereference. The attack may be launched remotely. The exploit has been published and may be used. A patch should be applied to remediate this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-01-30T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-01-30T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-17T20:46:42.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "ZiyuLin (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.343475", "name": "VDB-343475 | Free5GC SMF PFCP UDP Endpoint handler.go HandlePfcpAssociationReleaseRequest null pointer dereference", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.343475", "name": "VDB-343475 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.739508", "name": "Submit #739508 | free5gc SMF v4.1.0 Denial of Service", "tags": ["third-party-advisory"]}, {"url": "https://github.com/free5gc/free5gc/issues/794", "tags": ["issue-tracking"]}, {"url": "https://github.com/free5gc/free5gc/issues/794#issuecomment-3761063382", "tags": ["issue-tracking"]}, {"url": "https://github.com/free5gc/free5gc/issues/794#issue-3811888505", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/free5gc/smf/pull/188", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/free5gc/smf/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-30T14:50:18.306790Z", "id": "CVE-2026-1682", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T14:50:52.750Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1682", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-30T14:50:18.306790Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T14:50:35.372Z"}}], "cna": {"title": "Free5GC SMF PFCP UDP Endpoint handler.go HandlePfcpAssociationReleaseRequest null pointer dereference", "credits": [{"lang": "en", "type": "reporter", "value": "ZiyuLin (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "Free5GC", "modules": ["PFCP UDP Endpoint"], "product": "SMF", "versions": [{"status": "affected", "version": "4.0"}, {"status": "affected", "version": "4.1.0"}]}], "timeline": [{"lang": "en", "time": "2026-01-30T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-01-30T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-17T20:46:42.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.343475", "name": "VDB-343475 | Free5GC SMF PFCP UDP Endpoint handler.go HandlePfcpAssociationReleaseRequest null pointer dereference", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.343475", "name": "VDB-343475 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.739508", "name": "Submit #739508 | free5gc SMF v4.1.0 Denial of Service", "tags": ["third-party-advisory"]}, {"url": "https://github.com/free5gc/free5gc/issues/794", "tags": ["issue-tracking"]}, {"url": "https://github.com/free5gc/free5gc/issues/794#issuecomment-3761063382", "tags": ["issue-tracking"]}, {"url": "https://github.com/free5gc/free5gc/issues/794#issue-3811888505", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/free5gc/smf/pull/188", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/free5gc/smf/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in Free5GC SMF up to 4.1.0. Affected is the function HandlePfcpAssociationReleaseRequest of the file internal/pfcp/handler/handler.go of the component PFCP UDP Endpoint. Executing a manipulation can lead to null pointer dereference. The attack may be launched remotely. The exploit has been published and may be used. A patch should be applied to remediate this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "NULL Pointer Dereference"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-404", "description": "Denial of Service"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:08:18.220Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1682", "state": "PUBLISHED", "dateUpdated": "2026-02-23T09:08:18.220Z", "dateReserved": "2026-01-30T07:35:31.971Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-01-30T14:02:07.468Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF0DB381-157B-4D05-B3D3-A2419F1D0E05", "versionEndIncluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Free5GC SMF up to 4.1.0. Affected is the function HandlePfcpAssociationReleaseRequest of the file internal/pfcp/handler/handler.go of the component PFCP UDP Endpoint. Executing a manipulation can lead to null pointer dereference. The attack may be launched remotely. The exploit has been published and may be used. A patch should be applied to remediate this issue."}], "id": "CVE-2026-1682", "lastModified": "2026-02-23T10:16:18.610", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-01-30T14:16:07.100", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/free5gc/free5gc/issues/794"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/free5gc/free5gc/issues/794#issue-3811888505"}, {"source": "cna@vuldb.com", "tags": ["Issue Tracking"], "url": "https://github.com/free5gc/free5gc/issues/794#issuecomment-3761063382"}, {"source": "cna@vuldb.com", "url": "https://github.com/free5gc/smf/"}, {"source": "cna@vuldb.com", "tags": ["Issue Tracking"], "url": "https://github.com/free5gc/smf/pull/188"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.343475"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.343475"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.739508"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-404"}, {"lang": "en", "value": "CWE-476"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:28:51.979356+00:00", "value": {"mitigation_remediation": ["Apply the official Free5GC SMF patch that upgrades HandlePfcpAssociationReleaseRequest to a release newer than 4.1.0.", "Configure firewall rules to restrict PFCP UDP traffic so the SMF accepts messages only from authenticated peers, thereby limiting the attack surface while the patch is applied.", "After applying the patch, restart the SMF service to load the updated binary and ensure the crash condition no longer occurs."], "summary": {"action": "Patch", "impact": "Remote Denial of Service"}, "threat_synthesis": {"affected_systems": "Free5GC SMF component versions up to 4.1.0 are affected. The flaw resides in the internal/pfcp/handler/handler.go file within the PFCP UDP Endpoint of the SMF. Users running the open\u2011source 5G core stack should verify that their SMF deployment is newer than 4.1.0 to avoid the vulnerability.", "description_and_impact": "Free5GC SMF contains a null pointer dereference in the HandlePfcpAssociationReleaseRequest function of its PFCP UDP Endpoint. When the SMF processes a malformed PFCP Association Release Request, the handler dereferences a nil pointer, causing the SMF process to crash. This crash results in a denial of service for the affected SMF, disrupting routing and control functions in the 5G core. The vulnerability is identified as CWE\u2011476 (Null Pointer Dereference) and does not allow arbitrary code execution. The description states that the attack may be launched remotely, implying a crafted PFCP message is needed; this is inferred from the wording that a manipulation can lead to the dereference.\n\nRisk is further defined by a CVSS score of 6.9, indicating medium severity, and an EPSS of <1%, suggesting exploitation is currently unlikely although an exploit has already been published. The vulnerability is not listed in the CISA KEV catalog, so no immediate alerts are issued. However, because the flaw can be triggered by a single crafted PFCP Association Release Request over UDP, the attack remains possible until a patch is applied.", "risk_and_exploitability": "The medium CVSS score reflects the potential for a denial of service but not for arbitrary code execution. With an EPSS of <1%, current exploitation rates are low, yet the existence of a publicly released exploit raises concern. The vulnerability is not present in CISA KEV, indicating no current active advisories. The flaw can be triggered remotely by an attacker sending a crafted PFCP Association Release Request, which is inferred to be the required input to trigger the null pointer dereference, but no further privileges are gained. Until a patch is applied, the SMF remains exposed to potential crashes from malicious PFCP traffic."}}}}, "created": "2026-02-02T09:27:47.216022+00:00", "updated": "2026-04-18T14:30:02.948174+00:00", "vendors": ["free5gc", "free5gc$PRODUCT$smf"]}