CVE-2025-70122 – A heap buffer overflow vulnerability in free5GC... (How to Fix)

Q: What is the severity of CVE-2025-70122?

CVE-2025-70122 has a CVSS score of 7.5 (HIGH). A heap buffer overflow vulnerability in free5GC's UPF component allows remote attackers to crash the UPF service via specially crafted PFCP Session Modification Requests. This causes denial of service for 5G core network functions. Organizations running free5GC v4.0.1 in production are affected.

📋 TL;DR

A heap buffer overflow vulnerability in free5GC's UPF component allows remote attackers to crash the UPF service via specially crafted PFCP Session Modification Requests. This causes denial of service for 5G core network functions. Organizations running free5GC v4.0.1 in production are affected.

💻 Affected Systems

Products:

free5GC

Versions: v4.0.1

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects UPF component; other free5GC components (AMF, SMF, etc.) are not directly vulnerable but may be impacted by UPF crashes.

📦 What is this software?

Free5gc by Free5gc

View all CVEs affecting Free5gc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete UPF service crash leading to loss of user plane connectivity, disrupting 5G data services for all connected devices until service restart.

🟠

Likely Case

Targeted DoS attacks causing intermittent UPF crashes and service disruption, requiring manual intervention to restore functionality.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, allowing quick detection and recovery from crashes.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires PFCP protocol knowledge and ability to send crafted packets to UPF interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.0.2 or later

Vendor Advisory: https://github.com/free5gc/free5gc/issues/746

Restart Required: No

Instructions:

1. Update free5GC to v4.0.2 or later. 2. Replace affected sdf-filter.go file with patched version. 3. Restart UPF service to apply changes.

🔧 Temporary Workarounds

Network Segmentation

Linux

Restrict PFCP traffic to trusted N4 interfaces only using firewall rules.

iptables -A INPUT -p udp --dport 8805 -s <trusted_smf_ip> -j ACCEPT
iptables -A INPUT -p udp --dport 8805 -j DROP

🧯 If You Can't Patch

Implement strict network ACLs to limit PFCP traffic sources to authorized SMF nodes only.
Deploy UPF redundancy with load balancing to maintain service during individual instance crashes.

🔍 How to Verify

Check if Vulnerable:

Check free5GC version: free5gc version | grep 'v4.0.1'

Check Version:

free5gc version

Verify Fix Applied:

Verify version is v4.0.2 or later: free5gc version | grep -v 'v4.0.1'

📡 Detection & Monitoring

Log Indicators:

UPF panic logs containing 'SDFFilterFields.UnmarshalBinary'
UPF process crashes with heap overflow errors
Repeated UPF service restarts

Network Indicators:

Unusual PFCP Session Modification Requests from untrusted sources
Spike in malformed PFCP packets to port 8805

SIEM Query:

source="free5gc.log" AND "panic" AND "SDFFilterFields"

📊 Metadata

CVE ID: CVE-2025-70122

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-122

EPSS Score: 0.1% exploit probability (26.9th percentile)

Published: February 13, 2026

Last Updated: February 18, 2026

🔗 References

https://github.com/free5gc/free5gc/issues/746 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-70122, you might also want to check these: