Login Sign Up

CVE-2026-1974

5.3 MEDIUM
Denial of Service

📋 TL;DR

A denial-of-service vulnerability exists in Free5GC's SMF component where the ResolveNodeIdToIp function can be manipulated by remote attackers. This affects Free5GC deployments up to version 4.1.0, potentially disrupting 5G core network services. The vulnerability is remotely exploitable and has a publicly available exploit.

💻 Affected Systems

Products:
  • Free5GC
Versions: up to 4.1.0
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments with SMF component enabled and exposed to untrusted networks.

📦 What is this software?

Free5gc by Free5gc

View all CVEs affecting Free5gc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disruption of SMF functionality leading to service unavailability for affected 5G network slices and subscribers.

🟠

Likely Case

Intermittent service degradation or temporary unavailability of specific network functions.

🟢

If Mitigated

Minimal impact with proper network segmentation and rate limiting in place.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit is publicly available on GitHub and requires minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.1 or later

Vendor Advisory: https://github.com/free5gc/free5gc/issues/816

Restart Required: Yes

Instructions:

1. Update Free5GC to version 4.1.1 or later. 2. Apply the patch from GitHub PR #189. 3. Restart the SMF service.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to SMF component to trusted networks only

iptables -A INPUT -p tcp --dport <smf_port> -s <trusted_network> -j ACCEPT
iptables -A INPUT -p tcp --dport <smf_port> -j DROP

Rate Limiting

linux

Implement rate limiting on SMF service endpoints

iptables -A INPUT -p tcp --dport <smf_port> -m limit --limit 10/minute --limit-burst 20 -j ACCEPT

🧯 If You Can't Patch

  • Implement strict network access controls to isolate SMF from untrusted networks
  • Deploy Web Application Firewall (WAF) or network filtering to block malicious traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check Free5GC version: if version <= 4.1.0 and SMF is running, system is vulnerable.

Check Version:

free5gc version

Verify Fix Applied:

Verify Free5GC version is >= 4.1.1 and check that GitHub PR #189 changes are applied to datapath.go

📡 Detection & Monitoring

Log Indicators:

  • Unusual volume of requests to SMF ResolveNodeIdToIp endpoint
  • SMF service crashes or restarts

Network Indicators:

  • High volume of malformed requests to SMF port
  • Traffic patterns indicating DoS attempts

SIEM Query:

source="free5gc" AND ("ResolveNodeIdToIp" OR "SMF crash")

📊 Metadata

CVE ID: CVE-2026-1974
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-404
EPSS Score: 0.07% exploit probability (20.7th percentile)
Published: February 6, 2026
Last Updated: February 9, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1974, you might also want to check these:

CVE-2025-38385 7.8

This CVE describes a kernel warning triggered during USB device disconnection in the Linux kernel's ...

Same vulnerability type (CWE-404)
CVE-2022-23033 7.8

This Xen hypervisor vulnerability on ARM systems allows guest virtual machines to retain access to m...

Same vulnerability type (CWE-404)
CVE-2021-0984 7.8

This vulnerability in Android 12 allows local privilege escalation without user interaction. An inco...

Same vulnerability type (CWE-404)