CVE-2026-26024

free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation 5G mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP UDP/8805 interface. No known upstrea...

CVE-2026-26025

free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation 5G mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP UDP/8805 interface. No known upstrea...

Expected Behavior Violation

Overview Affected versions of this package are vulnerable to Expected Behavior Violation via the PFCP Association Setup Request process. An attacker can cause service disruption and trigger reconnection loops by sending a malformed request that is incorrectly accepted, resulting in an inconsisten...

CVE-2026-26024 free5GC SMF crash (nil pointer dereference) on PFCP SessionReportRequest when ReportType.USAR=1 and UsageReport omits mandatory URRID sub-IE 

free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation 5G mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP UDP/8805 interface. No known upstrea...

CVE-2026-26024 free5GC SMF crash (nil pointer dereference) on PFCP SessionReportRequest when ReportType.USAR=1 and UsageReport omits mandatory URRID sub-IE 

free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation 5G mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP UDP/8805 interface. No known upstrea...

PT-2026-21591

Name of the Vulnerable Software and Affected Versions free5GC SMF versions up to and including 1.4.1 Description free5GC SMF provides the Session Management Function for free5GC, an open-source project for 5G mobile core networks. The software experiences a panic and terminates when processing a...

CVE-2025-70123

An improper input validation and protocol compliance vulnerability in free5GC v4.0.1 allows remote attackers to cause a denial of service. The UPF incorrectly accepts a malformed PFCP Association Setup Request, violating 3GPP TS 29.244. This places the UPF in an inconsistent state where a...

CVE-2025-70123

Summary of CVE-2025-70123 : In free5GC v4.0.1, the UPF fails to validate a malformed PFCP Association Setup Request, violating 3GPP TS 29.244. This leads to an inconsistent UPF state, and a subsequent valid PFCP Session Establishment Request can trigger a cascading failure that disrupts the SMF c...

CVE-2026-1975 Free5GC pfcp_reports.go identityTriggerType null pointer dereference

A security flaw has been discovered in Free5GC up to 4.1.0. This impacts the function identityTriggerType of the file pfcpreports.go. The manipulation results in null pointer dereference. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks...

CVE-2026-1684

A vulnerability was found in Free5GC SMF up to 4.1.0. Affected by this issue is the function HandleReports of the file /internal/context/pfcpreports.go of the component PFCP UDP Endpoint. The manipulation results in denial of service. The attack can be executed remotely. It is advisable to...

CVE-2026-1682

CVE-2026-1682 affects Free5GC SMF up to version 4.1.0, specifically the PFCP UDP Endpoint’s HandlePfcpAssociationReleaseRequest in internal/pfcp/handler/handler.go. The vulnerability allows remote manipulation that can cause a null pointer dereference. An exploit has been published and may be use...

EUVD-2025-205531

A flaw has been found in omec-project UPF up to 2.1.3-dev. This affects the function handleSessionEstablishmentRequest of the file /pfcpiface/pfcpiface/messagessession.go of the component PFCP Session Establishment Request Handler. This manipulation causes null pointer dereference. The attack may...

PT-2025-53699

Name of the Vulnerable Software and Affected Versions Open5GS versions through 2.7.5 Description A flaw exists in Open5GS affecting the decode ipv6 header/ogs pfcp pdr rule find by packet function within the lib/pfcp/rule-match.c file of the PFCP Session Establishment Request Handler component...

CVE-2025-14953

A flaw has been found in Open5GS up to 2.7.5. This impacts the function ogspfcphandlecreatepdr in the library lib/pfcp/handler.c of the component FAR-ID Handler. Executing a manipulation can lead to null pointer dereference. The attack may be performed from remote. The attack requires a high leve...

CVE-2025-65566

A denial-of-service vulnerability exists in the omec-project UPF pfcpiface component in version upf-epc-pfcpiface:2.1.3-dev. When the UPF receives a PFCP Session Report Response that is missing the mandatory Cause Information Element, the session report handler dereferences a nil pointer instead ...

CVE-2025-65561

An issue was discovered in function LocalNode.Sess in free5GC 4.1.0 allowing attackers to cause a denial of service or other unspecified impacts via crafted header Local SEID to the PFCP Session Modification Request...

CVE-2025-65562

The free5GC UPF suffers from a lack of bounds checking on the SEID when processing PFCP Session Deletion Requests. An unauthenticated remote attacker can send a request with a very large SEID e.g., 0xFFFFFFFFFFFFFFFF that causes an integer conversion/underflow in LocalNode.DeleteSess /...

CVE-2025-65562

The free5GC UPF suffers from a lack of bounds checking on the SEID when processing PFCP Session Deletion Requests. An unauthenticated remote attacker can send a request with a very large SEID e.g., 0xFFFFFFFFFFFFFFFF that causes an integer conversion/underflow in LocalNode.DeleteSess /...

PT-2025-52283

Name of the Vulnerable Software and Affected Versions Open5GS version 2.7.5-49-g465e90f Description A flaw exists in Open5GS where a malformed PFCP Session Establishment Request can cause the UPF to crash. Specifically, when processing a request type=50 and the CreatePDR?PDI?F-TEID has CH=1, a...

EUVD-2025-24087

Malicious code in bioql PyPI...