Login Sign Up

CVE-2026-1682

5.3 MEDIUM
Denial of Service

📋 TL;DR

A null pointer dereference vulnerability in Free5GC SMF's PFCP UDP endpoint allows remote attackers to cause denial of service by sending specially crafted PFCP Association Release Request messages. This affects Free5GC deployments using SMF versions up to 4.1.0. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:
  • Free5GC SMF
Versions: All versions up to and including 4.1.0
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments with PFCP UDP endpoint enabled (default configuration).

📦 What is this software?

Free5gc by Free5gc

View all CVEs affecting Free5gc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete SMF service crash leading to loss of 5G core network session management functionality, disrupting mobile data services for affected subscribers.

🟠

Likely Case

SMF process termination requiring manual restart, causing temporary service interruption for new session establishment.

🟢

If Mitigated

Minimal impact with proper segmentation and monitoring; service automatically restarts with session recovery mechanisms.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details published in GitHub issues; simple UDP packet manipulation required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 4.1.0

Vendor Advisory: https://github.com/free5gc/free5gc/issues/794

Restart Required: Yes

Instructions:

1. Update Free5GC SMF to latest version. 2. Apply patch from GitHub PR #188. 3. Restart SMF service.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict PFCP UDP endpoint access to trusted N4 interface peers only

iptables -A INPUT -p udp --dport 8805 -s <trusted_peer> -j ACCEPT
iptables -A INPUT -p udp --dport 8805 -j DROP

🧯 If You Can't Patch

  • Implement strict network ACLs to limit PFCP UDP traffic to authorized UPF nodes only
  • Deploy SMF behind stateful firewall with UDP flood protection and anomaly detection

🔍 How to Verify

Check if Vulnerable:

Check SMF version: free5gc-smf --version. If version ≤ 4.1.0, system is vulnerable.

Check Version:

free5gc-smf --version

Verify Fix Applied:

Verify version > 4.1.0 and check that GitHub PR #188 changes are present in handler.go

📡 Detection & Monitoring

Log Indicators:

  • SMF process crashes/restarts
  • PFCP Association Release Request errors
  • Null pointer exceptions in SMF logs

Network Indicators:

  • UDP packets to port 8805 with malformed PFCP headers
  • Unusual PFCP Association Release Request frequency

SIEM Query:

source="smf.log" AND ("panic" OR "null pointer" OR "association release")

📊 Metadata

CVE ID: CVE-2026-1682
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-404
EPSS Score: 0.06% exploit probability (19.1th percentile)
Published: January 30, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1682, you might also want to check these:

CVE-2025-38385 7.8

This CVE describes a kernel warning triggered during USB device disconnection in the Linux kernel's ...

Same vulnerability type (CWE-404)
CVE-2022-23033 7.8

This Xen hypervisor vulnerability on ARM systems allows guest virtual machines to retain access to m...

Same vulnerability type (CWE-404)
CVE-2021-0984 7.8

This vulnerability in Android 12 allows local privilege escalation without user interaction. An inco...

Same vulnerability type (CWE-404)