Free5GC SMF
Moderate fix1 remedy
cpe:2.3:a:free5gc:smf:*:*:*:*:*:*:*
Moderate fix1 remedy
- <= 4.1.0
Free5GC SMF Null Pointer Dereference Vulnerability in PFCP Association Release Request Handling
Vulnerability
Patched
A null pointer dereference vulnerability has been identified in Free5GC SMF versions through 4.1.0. The issue arises in the PFCP UDP Endpoint component, specifically within the HandlePfcpAssociationReleaseRequest function of handler.go. When a PFCP Association Release Request is sent without the required NodeID Information Element, the handler attempts to dereference a nil NodeID, leading to a runtime panic. This vulnerability can be exploited remotely, causing the SMF process to crash and terminate, which disrupts service availability.
Impact
Exploitation of this vulnerability causes the SMF process to crash, terminating all active sessions and disrupting service.
Reproduction
The vulnerability can be reproduced by sending a PFCP Association Release Request that omits the NodeID Information Element. This can be done using a crafted UDP packet that simulates the PFCP message without the required NodeID, targeting the SMF's PFCP UDP endpoint.
Remediation
Users are advised to update to Free5GC SMF version 4.1.1 or later, where this vulnerability has been fixed.
Added: Jan 30, 2026, 2:19 PM
Updated: Jan 30, 2026, 2:19 PM
Vulnerability Rating
Custom Algorithm
spread
1.4impact
2.5exploitability
9.1remediation
7.7relevance
2.5threat
6.4urgency
2.9incentive
8.3Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.