CVE-2026-1973 – A null pointer dereference vulnerability in Fre... (How to Fix)

Q: What is the severity of CVE-2026-1973?

CVE-2026-1973 has a CVSS score of 5.3 (MEDIUM). A null pointer dereference vulnerability in Free5GC's SMF component allows remote attackers to cause denial of service by exploiting the establishPfcpSession function. This affects all Free5GC deployments up to version 4.1.0 that expose the SMF service to untrusted networks.

📋 TL;DR

A null pointer dereference vulnerability in Free5GC's SMF component allows remote attackers to cause denial of service by exploiting the establishPfcpSession function. This affects all Free5GC deployments up to version 4.1.0 that expose the SMF service to untrusted networks.

💻 Affected Systems

Products:

Free5GC

Versions: All versions up to 4.1.0

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments with SMF component enabled and exposed to untrusted networks.

📦 What is this software?

Free5gc by Free5gc

View all CVEs affecting Free5gc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete SMF service crash leading to denial of service for all 5G core network functions relying on SMF, potentially disrupting mobile network operations.

🟠

Likely Case

SMF service instability or crashes causing intermittent service disruption for 5G sessions managed by the affected SMF instance.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, potentially causing only isolated service disruptions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available in GitHub issues, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.1 or later

Vendor Advisory: https://github.com/free5gc/free5gc/issues/815

Restart Required: Yes

Instructions:

1. Update Free5GC to version 4.1.1 or later. 2. Apply the patch from GitHub PR #189. 3. Restart the SMF service.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to SMF service ports (typically 8805 for PFCP) to trusted networks only.

iptables -A INPUT -p tcp --dport 8805 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 8805 -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit SMF exposure to only necessary internal components.
Deploy monitoring and alerting for SMF service crashes with automated restart capabilities.

🔍 How to Verify

Check if Vulnerable:

Check Free5GC version: if version ≤ 4.1.0 and SMF is running, system is vulnerable.

Check Version:

free5gc version

Verify Fix Applied:

Verify Free5GC version is ≥ 4.1.1 and check that the establishPfcpSession function has been patched.

📡 Detection & Monitoring

Log Indicators:

SMF service crash logs
Null pointer exception in SMF logs
PFCP session establishment failures

Network Indicators:

Unexpected PFCP traffic patterns to SMF port 8805
Multiple connection attempts from single sources

SIEM Query:

source="smf.log" AND ("null pointer" OR "segmentation fault" OR "panic")

📊 Metadata

CVE ID: CVE-2026-1973

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-404

EPSS Score: 0.07% exploit probability (22.3th percentile)

Published: February 6, 2026

Last Updated: February 9, 2026

🔗 References

https://github.com/free5gc/free5gc/ Product
https://github.com/free5gc/free5gc/issues/815 Exploit,Issue Tracking,Vendor Advisory
https://github.com/free5gc/free5gc/issues/815#issue-3832032062 Exploit,Issue Tracking,Vendor Advisory
https://github.com/free5gc/smf/pull/189 Issue Tracking
https://vuldb.com/?ctiid.344495 Permissions Required,VDB Entry
https://vuldb.com/?id.344495 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.743236 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1973, you might also want to check these: