CVE-2026-26025
📋 TL;DR
A denial-of-service vulnerability in free5GC SMF allows attackers to crash the Session Management Function by sending malformed PFCP SessionReportRequest messages. This affects all deployments using free5GC SMF up to version 1.4.1. The vulnerability can be exploited remotely via the PFCP interface.
💻 Affected Systems
- free5GC SMF
📦 What is this software?
Smf by Free5gc
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of 5G core network functions, causing loss of connectivity for all users served by the affected SMF instance.
Likely Case
Intermittent service outages as attackers repeatedly crash the SMF process, requiring manual restart and causing user session disruptions.
If Mitigated
Limited impact with proper network controls, potentially reduced to isolated service interruptions if process recovery mechanisms are implemented.
🎯 Exploit Status
Exploitation requires only sending malformed UDP packets to port 8805. No authentication or special knowledge needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None available
Vendor Advisory: https://github.com/free5gc/free5gc/security/advisories/GHSA-vw8r-p7h3-g3xh
Restart Required: No
Instructions:
No official patch exists. Monitor the free5GC GitHub repository for updates and apply when available.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict access to PFCP interface (UDP/8805) to only trusted UPF IP addresses using firewall rules.
iptables -A INPUT -p udp --dport 8805 -s [TRUSTED_UPF_IP] -j ACCEPT
iptables -A INPUT -p udp --dport 8805 -j DROP
Process Recovery Wrapper
allAdd recover() function around PFCP handler dispatch to prevent whole-process termination when malformed messages are received.
Modify SMF source code to wrap PFCP message handling with Go's recover() mechanism
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to UDP port 8805
- Deploy network intrusion prevention systems to detect and block malformed PFCP packets
🔍 How to Verify
Check if Vulnerable:
Check free5GC SMF version. If version is 1.4.1 or earlier and PFCP interface is exposed, the system is vulnerable.Check Version:
Check free5GC documentation or deployment configuration for SMF versionVerify Fix Applied:
Test by sending malformed PFCP SessionReportRequest to UDP port 8805 and verify SMF process does not crash.📡 Detection & Monitoring
Log Indicators:
- SMF process panic messages
- Unexpected SMF service termination
- PFCP protocol errors
Network Indicators:
- UDP traffic to port 8805 from untrusted sources
- Malformed PFCP packets
SIEM Query:
source="free5gc-smf.log" AND (panic OR "fatal error" OR "unexpected EOF")