CVE-2026-1684 – A denial-of-service vulnerability exists in Fre... (How to Fix)

Q: What is the severity of CVE-2026-1684?

CVE-2026-1684 has a CVSS score of 5.3 (MEDIUM). A denial-of-service vulnerability exists in Free5GC SMF's PFCP UDP Endpoint component, specifically in the HandleReports function. Attackers can remotely trigger this vulnerability to crash the SMF service, disrupting 5G core network functionality. Organizations running Free5GC SMF versions up to 4.1.0 are affected.

📋 TL;DR

A denial-of-service vulnerability exists in Free5GC SMF's PFCP UDP Endpoint component, specifically in the HandleReports function. Attackers can remotely trigger this vulnerability to crash the SMF service, disrupting 5G core network functionality. Organizations running Free5GC SMF versions up to 4.1.0 are affected.

💻 Affected Systems

Products:

Free5GC SMF

Versions: up to 4.1.0

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with PFCP UDP Endpoint enabled (default configuration).

📦 What is this software?

Free5gc by Free5gc

View all CVEs affecting Free5gc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disruption of 5G core network services, preventing subscriber connectivity and network operations until service restoration.

🟠

Likely Case

Service interruption affecting multiple subscribers, requiring manual restart of SMF components and causing temporary service outages.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, allowing quick detection and recovery.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Remote exploitation requires network access to PFCP UDP port (default 8805).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.1 or later

Vendor Advisory: https://github.com/free5gc/free5gc/issues/806

Restart Required: Yes

Instructions:

1. Update Free5GC SMF to version 4.1.1 or later. 2. Apply the fix from GitHub PR #188. 3. Restart SMF service.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to PFCP UDP port (default 8805) to trusted network segments only.

iptables -A INPUT -p udp --dport 8805 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p udp --dport 8805 -j DROP

🧯 If You Can't Patch

Implement strict network ACLs to limit PFCP UDP port access to authorized NFs only.
Deploy rate limiting on PFCP UDP traffic to mitigate DoS attempts.

🔍 How to Verify

Check if Vulnerable:

Check SMF version: if version <= 4.1.0, system is vulnerable.

Check Version:

grep -i version /path/to/smf/config/files or check deployment manifests

Verify Fix Applied:

Verify SMF version is >= 4.1.1 and check that GitHub PR #188 changes are applied.

📡 Detection & Monitoring

Log Indicators:

SMF service crashes
PFCP session failures
Unexpected termination of HandleReports function

Network Indicators:

Unusual UDP traffic patterns on port 8805
Multiple malformed PFCP messages from single source

SIEM Query:

source="smf.log" AND ("panic" OR "crash" OR "HandleReports")

📊 Metadata

CVE ID: CVE-2026-1684

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-404

EPSS Score: 0.08% exploit probability (22.6th percentile)

Published: January 30, 2026

Last Updated: February 23, 2026

🔗 References

https://github.com/free5gc/free5gc/issues/806 Exploit,Issue Tracking,Vendor Advisory
https://github.com/free5gc/smf/
https://github.com/free5gc/smf/pull/188 Issue Tracking
https://vuldb.com/?ctiid.343477 Permissions Required,VDB Entry
https://vuldb.com/?id.343477 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.739655 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.739656 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1684, you might also want to check these: