Login Sign Up

CVE-2026-1683

5.3 MEDIUM
Denial of Service

📋 TL;DR

A denial-of-service vulnerability exists in Free5GC SMF's PFCP handler that allows remote attackers to crash the service by sending specially crafted PFCP Session Report Request messages. This affects all Free5GC deployments using SMF versions up to 4.1.0. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:
  • Free5GC SMF
Versions: All versions up to and including 4.1.0
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments with PFCP interface exposed and accessible to attackers.

📦 What is this software?

Free5gc by Free5gc

View all CVEs affecting Free5gc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of the SMF component, causing loss of 5G session management functionality and potential cascading failures in the 5G core network.

🟠

Likely Case

Service crashes requiring manual restart of SMF instances, leading to temporary service outages and degraded 5G network performance.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and recovery.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available in GitHub issues and the vulnerability is simple to trigger.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in SMF version after 4.1.0 via pull request #188

Vendor Advisory: https://github.com/free5gc/free5gc/issues/804

Restart Required: Yes

Instructions:

1. Update Free5GC SMF to latest version. 2. Apply patch from pull request #188 if using older version. 3. Restart SMF service.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to PFCP interface (port 8805) to trusted NFs only

iptables -A INPUT -p udp --dport 8805 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p udp --dport 8805 -j DROP

🧯 If You Can't Patch

  • Implement strict network ACLs to limit PFCP traffic to authorized NFs only
  • Deploy monitoring and automated restart mechanisms for SMF service

🔍 How to Verify

Check if Vulnerable:

Check SMF version: if version <= 4.1.0 and PFCP interface is exposed, system is vulnerable

Check Version:

Check SMF configuration file or deployment manifest for version information

Verify Fix Applied:

Verify SMF version > 4.1.0 or check that patch from PR #188 is applied

📡 Detection & Monitoring

Log Indicators:

  • SMF service crashes
  • PFCP Session Report Request handling errors
  • Panic logs in SMF

Network Indicators:

  • Unusual PFCP traffic patterns
  • Multiple PFCP Session Report Requests from single source

SIEM Query:

source="smf.log" AND ("panic" OR "crash" OR "HandlePfcpSessionReportRequest")

📊 Metadata

CVE ID: CVE-2026-1683
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-404
EPSS Score: 0.08% exploit probability (22.6th percentile)
Published: January 30, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1683, you might also want to check these:

CVE-2025-38385 7.8

This CVE describes a kernel warning triggered during USB device disconnection in the Linux kernel's ...

Same vulnerability type (CWE-404)
CVE-2022-23033 7.8

This Xen hypervisor vulnerability on ARM systems allows guest virtual machines to retain access to m...

Same vulnerability type (CWE-404)
CVE-2021-0984 7.8

This vulnerability in Android 12 allows local privilege escalation without user interaction. An inco...

Same vulnerability type (CWE-404)