60 matches found
CVE-2025-69232
free5GC is an open-source project for 5th generation 5G mobile core networks. free5GC go-upf versions up to and including 1.2.6, corresponding to free5gc smf up to and including 1.4.0, have an Improper Input Validation and Protocol Compliance vulnerability leading to Denial of Service. Remote...
CVE-2026-26024
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation 5G mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP UDP/8805 interface. No known upstrea...
CVE-2026-26025
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation 5G mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP UDP/8805 interface. No known upstrea...
CVE-2026-26025
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation 5G mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP UDP/8805 interface. No known upstrea...
CVE-2026-26025 free5GC SMF crash (nil pointer dereference) on PFCP SessionReportRequest when ReportType.USAR=1 and UsageReport omits mandatory URRID sub-IE 
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation 5G mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP UDP/8805 interface. No known upstrea...
CVE-2026-26025 free5GC SMF crash (nil pointer dereference) on PFCP SessionReportRequest when ReportType.USAR=1 and UsageReport omits mandatory URRID sub-IE 
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation 5G mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP UDP/8805 interface. No known upstrea...
EUVD-2026-7465
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation 5G mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP UDP/8805 interface. No known upstrea...
CVE-2026-25501
Free5GC SMF (Session Management Function) up to version 1.4.1 is vulnerable to a nil pointer dereference that causes the SMF process to panic when processing a malformed PFCP SessionReportRequest on the PFCP interface (UDP/8805). The issue can lead to SMF termination. There is no known upstream f...
CVE-2026-25501 free5GC SMF crash (nil pointer dereference) on PFCP SessionReportRequest when ReportType.DLDR is set but DownlinkDataReport IE is missing
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation 5G mobile core networks. In versions up to and including 1.4.1, SMF panics due to nil pointer dereference and the SMF process terminates. This is triggered by a malformed PFCP...
EUVD-2026-7466
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation 5G mobile core networks. In versions up to and including 1.4.1, SMF panics due to nil pointer dereference and the SMF process terminates. This is triggered by a malformed PFCP...
CVE-2026-25501 free5GC SMF crash (nil pointer dereference) on PFCP SessionReportRequest when ReportType.DLDR is set but DownlinkDataReport IE is missing
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation 5G mobile core networks. In versions up to and including 1.4.1, SMF panics due to nil pointer dereference and the SMF process terminates. This is triggered by a malformed PFCP...
PT-2026-21591
Name of the Vulnerable Software and Affected Versions free5GC SMF versions up to and including 1.4.1 Description free5GC SMF provides the Session Management Function for free5GC, an open-source project for 5G mobile core networks. The software experiences a panic and terminates when processing a...
CVE-2025-69232 free5GC hasProtocol Compliance Violation in UPF Leading to SMF Service Disruption
free5GC is an open-source project for 5th generation 5G mobile core networks. free5GC go-upf versions up to and including 1.2.6, corresponding to free5gc smf up to and including 1.4.0, have an Improper Input Validation and Protocol Compliance vulnerability leading to Denial of Service. Remote...
CVE-2025-69232 free5GC hasProtocol Compliance Violation in UPF Leading to SMF Service Disruption
free5GC is an open-source project for 5th generation 5G mobile core networks. free5GC go-upf versions up to and including 1.2.6, corresponding to free5gc smf up to and including 1.4.0, have an Improper Input Validation and Protocol Compliance vulnerability leading to Denial of Service. Remote...
CVE-2026-2523
A vulnerability was detected in Open5GS up to 2.7.6. The affected element is the function smfgnhandlecreatepdpcontextrequest of the file /src/smf/gn-handler.c of the component SMF. The manipulation results in reachable assertion. It is possible to launch the attack remotely. The exploit is now...
CVE-2025-70123
Summary of CVE-2025-70123 : In free5GC v4.0.1, the UPF fails to validate a malformed PFCP Association Setup Request, violating 3GPP TS 29.244. This leads to an inconsistent UPF state, and a subsequent valid PFCP Session Establishment Request can trigger a cascading failure that disrupts the SMF c...
CVE-2026-1976
A weakness has been identified in Free5GC up to 4.1.0. Affected is the function SessionDeletionResponse of the component SMF. This manipulation causes null pointer dereference. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used f...
EUVD-2026-5602
A weakness has been identified in Free5GC up to 4.1.0. Affected is the function SessionDeletionResponse of the component SMF. This manipulation causes null pointer dereference. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used f...
NULL Pointer Dereference
Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the establishPfcpSession function. An attacker can cause a denial of service by sending specially crafted requests that trigger a null pointer dereference in the SMF component. Remediation Upgrade...
Improper Resource Shutdown or Release
Overview Affected versions of this package are vulnerable to Improper Resource Shutdown or Release via the ResolveNodeIdToIp function in the SMF component. An attacker can cause a service disruption by sending specially crafted requests remotely. Remediation Upgrade...