{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26025", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T21:36:29.555Z", "datePublished": "2026-02-24T00:15:59.635Z", "dateUpdated": "2026-02-26T14:31:19.868Z"}, "containers": {"cna": {"title": "free5GC SMF crash (nil pointer dereference) on PFCP SessionReportRequest when ReportType.USAR=1 and UsageReport omits mandatory URRID sub-IE \ufffc", "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "lang": "en", "description": "CWE-476: NULL Pointer Dereference", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-vw8r-p7h3-g3xh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-vw8r-p7h3-g3xh"}, {"name": "https://github.com/free5gc/free5gc/issues/807", "tags": ["x_refsource_MISC"], "url": "https://github.com/free5gc/free5gc/issues/807"}], "affected": [{"vendor": "free5gc", "product": "smf", "versions": [{"version": "<= 1.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T00:15:59.635Z"}, "descriptions": [{"lang": "en", "value": "free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. \ufffcNo known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only)."}], "source": {"advisory": "GHSA-vw8r-p7h3-g3xh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T14:30:56.991801Z", "id": "CVE-2026-26025", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:31:19.868Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26025", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T14:30:56.991801Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:31:09.892Z"}}], "cna": {"title": "free5GC SMF crash (nil pointer dereference) on PFCP SessionReportRequest when ReportType.USAR=1 and UsageReport omits mandatory URRID sub-IE \ufffc", "source": {"advisory": "GHSA-vw8r-p7h3-g3xh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "free5gc", "product": "smf", "versions": [{"status": "affected", "version": "<= 1.4.1"}]}], "references": [{"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-vw8r-p7h3-g3xh", "name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-vw8r-p7h3-g3xh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/free5gc/free5gc/issues/807", "name": "https://github.com/free5gc/free5gc/issues/807", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. \ufffcNo known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476: NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T00:15:59.635Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26025", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:31:19.868Z", "dateReserved": "2026-02-09T21:36:29.555Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-24T00:15:59.635Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:free5gc:smf:*:*:*:*:*:go:*:*", "matchCriteriaId": "D77A49EF-55CF-4F12-AAA2-2383C47AB810", "versionEndIncluding": "1.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. \ufffcNo known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only)."}, {"lang": "es", "value": "El SMF de free5GC proporciona la Funci\u00f3n de Gesti\u00f3n de Sesi\u00f3n para free5GC, un proyecto de c\u00f3digo abierto para redes centrales m\u00f3viles de quinta generaci\u00f3n (5G). En versiones hasta la 1.4.1 inclusive, el SMF entra en p\u00e1nico y termina al procesar una solicitud PFCP SessionReportRequest malformada en la interfaz PFCP (UDP/8805). No hay una soluci\u00f3n ascendente conocida disponible, pero hay algunas soluciones alternativas disponibles. Aplicar ACL/cortafuegos a la interfaz PFCP para que solo las IP de UPF de confianza puedan alcanzar el SMF (reducir la superficie de suplantaci\u00f3n/abuso); descartar/inspeccionar mensajes PFCP SessionReportRequest malformados en el borde de la red donde sea factible, y/o a\u00f1adir recover() alrededor del despacho del gestor PFCP para evitar la terminaci\u00f3n de todo el proceso (solo mitigaci\u00f3n)."}], "id": "CVE-2026-26025", "lastModified": "2026-02-25T16:28:24.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-24T01:16:15.237", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/free5gc/free5gc/issues/807"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-vw8r-p7h3-g3xh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "smf", "source": "cna", "vendor": "free5gc"}, "product": "smf", "vendor": "free5gc"}], "analysis": {"en": {"generated_at": "2026-04-17T16:08:17.764295+00:00", "value": {"mitigation_remediation": ["Configure the firewall or ACL on the SMF host to allow PFCP traffic only from trusted UPF IP addresses, thereby reducing spoofing and abuse surface.", "Install packet inspection or filtering at the network edge to drop or quarantine malformed PFCP SessionReportRequest messages before they reach the SMF process.", "Wrap the PFCP request handler with a recover() guard in the SMF code to prevent a full\u2011process crash when a panic occurs; this mitigates the impact until an official upstream fix becomes available."], "summary": {"action": "Apply Workaround", "impact": "Service Disruption (Denial of Service)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the free5GC Session Management Function (SMF), versions up to and including 1.4.1, deployed by operators using the open\u2011source free5GC 5G core stack.", "description_and_impact": "A nil pointer dereference in the free5GC SMF causes a panic and process termination when a malformed PFCP SessionReportRequest is processed; the fault occurs when ReportType.USAR equals one and a mandatory URRID sub\u2011information element is omitted. Because the panic crashes the SMF process, a single crafted request can bring down the entire session management function, leading to denial of service of the 5G core network spokes it supports.", "risk_and_exploitability": "The CVSS base score is 6.6, reflecting moderate severity. The EPSS score is less than 1\u202f%, indicating a low probability of exploitation in the wild, and the issue is not listed in CISA\u2019s KEV catalog. The flaw is reachable remotely via the PFCP UDP interface on port\u202f8805, so an attacker with network access to the SMF endpoint can send the malformed SessionReportRequest and trigger a crash."}}}}, "created": "2026-02-24T09:54:24.759687+00:00", "updated": "2026-04-17T16:15:22.643530+00:00", "vendors": ["free5gc", "free5gc$PRODUCT$smf"]}