CVE-2025-65566

Name of the Vulnerable Software and Affected Versions omec-project UPF versions upf-epc-pfcpiface:2.1.3-dev

Description A denial-of-service issue exists in the pfcpiface component of the UPF. When the UPF receives a PFCP Session Report Response lacking the mandatory Cause Information Element, the session report handler attempts to access a null pointer instead of discarding the improperly formatted message. This results in a process termination. An attacker capable of sending PFCP Session Report Response messages to the UPF’s N4/PFCP endpoint can exploit this to repeatedly crash the UPF and disrupt user-plane services. The affected API endpoint is the N4/PFCP endpoint.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.