CVE-2026-26025

Name of the Vulnerable Software and Affected Versions free5GC SMF versions up to and including 1.4.1

Description free5GC SMF provides the Session Management Function for free5GC, an open-source project for 5G mobile core networks. The software experiences a panic and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. The issue occurs when receiving a malformed message via the PFCP interface, specifically a SessionReportRequest. No upstream fix is currently available. Mitigation strategies include restricting access to the PFCP interface to trusted UPF IPs, dropping or inspecting malformed PFCP SessionReportRequest messages at the network edge, or adding recover() around PFCP handler dispatch to prevent complete process termination.

Recommendations free5GC SMF versions up to and including 1.4.1: Apply ACL/firewall rules to the PFCP interface to allow only trusted UPF IPs to connect. free5GC SMF versions up to and including 1.4.1: Drop or inspect malformed PFCP SessionReportRequest messages at the network edge. free5GC SMF versions up to and including 1.4.1: Add recover() around PFCP handler dispatch to avoid whole-process termination as a mitigation.