CVE-2026-1976 – A null pointer dereference vulnerability in Fre... (How to Fix)

Q: What is the severity of CVE-2026-1976?

CVE-2026-1976 has a CVSS score of 5.3 (MEDIUM). A null pointer dereference vulnerability in Free5GC's SMF component allows remote attackers to cause denial of service by exploiting the SessionDeletionResponse function. This affects Free5GC deployments up to version 4.1.0. The vulnerability is remotely exploitable and a public exploit exists.

📋 TL;DR

A null pointer dereference vulnerability in Free5GC's SMF component allows remote attackers to cause denial of service by exploiting the SessionDeletionResponse function. This affects Free5GC deployments up to version 4.1.0. The vulnerability is remotely exploitable and a public exploit exists.

💻 Affected Systems

Products:

Free5GC

Versions: up to 4.1.0

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects SMF (Session Management Function) component specifically. Requires SMF to be exposed to untrusted traffic.

📦 What is this software?

Free5gc by Free5gc

View all CVEs affecting Free5gc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of the SMF component, potentially affecting 5G core network functionality and causing service outages for connected devices.

🟠

Likely Case

Denial of service affecting the SMF component, leading to session management failures and degraded network performance.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, potentially causing only isolated service interruptions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available and the vulnerability requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.1 or later

Vendor Advisory: https://github.com/free5gc/free5gc/issues/817

Restart Required: Yes

Instructions:

1. Update Free5GC to version 4.1.1 or later. 2. Apply the patch from GitHub pull request #189. 3. Restart the SMF service.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to SMF component to trusted networks only

iptables -A INPUT -p tcp --dport <smf_port> -s <trusted_network> -j ACCEPT
iptables -A INPUT -p tcp --dport <smf_port> -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit SMF exposure
Deploy intrusion detection/prevention systems to monitor for exploit attempts

🔍 How to Verify

Check if Vulnerable:

Check Free5GC version: if version <= 4.1.0, system is vulnerable

Check Version:

free5gc version

Verify Fix Applied:

Verify Free5GC version is 4.1.1 or later and check that GitHub pull request #189 changes are applied

📡 Detection & Monitoring

Log Indicators:

SMF service crashes
Null pointer exception logs in SMF component
Unusual session deletion requests

Network Indicators:

Multiple malformed session deletion requests to SMF port
Traffic patterns matching known exploit

SIEM Query:

source="free5gc" AND ("null pointer" OR "SessionDeletionResponse" OR "SMF crash")

📊 Metadata

CVE ID: CVE-2026-1976

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-404

EPSS Score: 0.07% exploit probability (22.3th percentile)

Published: February 6, 2026

Last Updated: February 9, 2026

🔗 References

https://github.com/free5gc/free5gc/ Product
https://github.com/free5gc/free5gc/issues/817 Exploit,Issue Tracking,Vendor Advisory
https://github.com/free5gc/free5gc/issues/817#issue-3832188092 Exploit,Issue Tracking,Vendor Advisory
https://github.com/free5gc/smf/pull/189 Issue Tracking
https://vuldb.com/?ctiid.344498 Permissions Required,VDB Entry
https://vuldb.com/?id.344498 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.743239 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1976, you might also want to check these: