Vulnerability Description
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Free5Gc | Smf | <= 1.4.1 |
Related Weaknesses (CWE)
References
- https://github.com/free5gc/free5gc/issues/807ExploitIssue Tracking
- https://github.com/free5gc/free5gc/security/advisories/GHSA-vw8r-p7h3-g3xhVendor Advisory
FAQ
What is CVE-2026-26025?
CVE-2026-26025 is a vulnerability with a CVSS score of 7.5 (HIGH). free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when...
How severe is CVE-2026-26025?
CVE-2026-26025 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-26025?
Check the references section above for vendor advisories and patch information. Affected products include: Free5Gc Smf.