{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1973", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-05T13:33:39.834Z", "datePublished": "2026-02-06T01:32:08.923Z", "dateUpdated": "2026-02-23T09:19:46.366Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:19:46.366Z"}, "title": "Free5GC SMF establishPfcpSession null pointer dereference", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-476", "lang": "en", "description": "NULL Pointer Dereference"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-404", "lang": "en", "description": "Denial of Service"}]}], "affected": [{"vendor": "n/a", "product": "Free5GC", "versions": [{"version": "4.0", "status": "affected"}, {"version": "4.1.0", "status": "affected"}], "cpes": ["cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*"], "modules": ["SMF"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Free5GC up to 4.1.0. The impacted element is the function establishPfcpSession of the component SMF. Executing a manipulation can lead to null pointer dereference. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. It is best practice to apply a patch to resolve this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-02-05T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-05T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-09T17:03:04.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "ZiyuLin (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.344495", "name": "VDB-344495 | Free5GC SMF establishPfcpSession null pointer dereference", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.344495", "name": "VDB-344495 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.743236", "name": "Submit #743236 | free5gc SMF v4.1.0 Denial of Service", "tags": ["third-party-advisory"]}, {"url": "https://github.com/free5gc/free5gc/issues/815", "tags": ["issue-tracking"]}, {"url": "https://github.com/free5gc/free5gc/issues/815#issue-3832032062", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/free5gc/smf/pull/189", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/free5gc/free5gc/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T19:31:53.954682Z", "id": "CVE-2026-1973", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T19:32:02.166Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1973", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-06T19:31:53.954682Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T19:31:59.085Z"}}], "cna": {"title": "Free5GC SMF establishPfcpSession null pointer dereference", "credits": [{"lang": "en", "type": "reporter", "value": "ZiyuLin (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"cpes": ["cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*"], "vendor": "n/a", "modules": ["SMF"], "product": "Free5GC", "versions": [{"status": "affected", "version": "4.0"}, {"status": "affected", "version": "4.1.0"}]}], "timeline": [{"lang": "en", "time": "2026-02-05T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-05T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-09T17:03:04.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.344495", "name": "VDB-344495 | Free5GC SMF establishPfcpSession null pointer dereference", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.344495", "name": "VDB-344495 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.743236", "name": "Submit #743236 | free5gc SMF v4.1.0 Denial of Service", "tags": ["third-party-advisory"]}, {"url": "https://github.com/free5gc/free5gc/issues/815", "tags": ["issue-tracking"]}, {"url": "https://github.com/free5gc/free5gc/issues/815#issue-3832032062", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/free5gc/smf/pull/189", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/free5gc/free5gc/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Free5GC up to 4.1.0. The impacted element is the function establishPfcpSession of the component SMF. Executing a manipulation can lead to null pointer dereference. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. It is best practice to apply a patch to resolve this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "NULL Pointer Dereference"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-404", "description": "Denial of Service"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:19:46.366Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1973", "state": "PUBLISHED", "dateUpdated": "2026-02-23T09:19:46.366Z", "dateReserved": "2026-02-05T13:33:39.834Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-06T01:32:08.923Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF0DB381-157B-4D05-B3D3-A2419F1D0E05", "versionEndIncluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Free5GC up to 4.1.0. The impacted element is the function establishPfcpSession of the component SMF. Executing a manipulation can lead to null pointer dereference. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. It is best practice to apply a patch to resolve this issue."}], "id": "CVE-2026-1973", "lastModified": "2026-02-09T15:48:21.187", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-06T02:16:05.620", "references": [{"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://github.com/free5gc/free5gc/"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/free5gc/free5gc/issues/815"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/free5gc/free5gc/issues/815#issue-3832032062"}, {"source": "cna@vuldb.com", "tags": ["Issue Tracking"], "url": "https://github.com/free5gc/smf/pull/189"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.344495"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.344495"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.743236"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-404"}, {"lang": "en", "value": "CWE-476"}], "source": "cna@vuldb.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T22:57:16.155760+00:00", "value": {"mitigation_remediation": ["Upgrade to a Free5GC release newer than 4.1.0, which contains the patch for establishPfcpSession.", "Restrict network access to the SMF control\u2011plane interfaces to trusted entities and enforce authentication checks before processing PFCP sessions.", "Enable logging for SMF failures and monitor for repeated crash events, alerting administrators to potential exploitation attempts."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is Free5GC, the open\u2011source 5G core implementation. All releases up through version 4.1.0 are impacted; later releases contain the patched code.", "description_and_impact": "Free5GC versions up to 4.1.0 contain a null pointer dereference in the establishPfcpSession function of the SMF component. When this function receives a crafted request, it dereferences a null pointer, causing the SMF process to crash. This vulnerability leads to a denial\u2011of\u2011service condition and may allow an attacker to disrupt 5G core network services. The weakness corresponds to CWE\u2011404 (Improper Resource Shutdown or Release) and CWE\u2011476 (NULL Pointer Dereference).", "risk_and_exploitability": "The CVSS base score of 6.9 indicates moderate to high severity. The EPSS score is less than 1\u202f%, suggesting a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack vector is remote, and the exploit is publicly disclosed. An attacker can trigger the crash by sending a specially crafted SMF request over the network. As the flaw is not authenticated, any host able to reach the SMF control plane is a potential target."}}}}, "created": "2026-02-06T12:04:49.989884+00:00", "updated": "2026-04-17T23:00:12.646064+00:00", "vendors": ["free5gc", "free5gc$PRODUCT$free5gc"]}