CVE-2025-66720 Overview
A null pointer dereference vulnerability has been identified in free5GC PCF (Policy Control Function) version 1.4.0. The vulnerability exists in the file internal/sbi/processor/ampolicy.go within the HandleDeletePoliciesPolAssoId function. When exploited, this flaw allows remote attackers to cause a denial of service condition by triggering a null pointer dereference, leading to application crashes and service disruption in 5G network core deployments.
Critical Impact
Remote attackers can crash the PCF component without authentication, potentially disrupting 5G network policy control services and impacting network availability.
Affected Products
- free5GC PCF version 1.4.0
- free5GC deployments utilizing the vulnerable PCF component
- 5G core network implementations based on free5GC
Discovery Timeline
- 2026-01-23 - CVE-2025-66720 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-66720
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference), a memory corruption issue that occurs when the application attempts to use a pointer that has a NULL value. In the context of free5GC PCF, the HandleDeletePoliciesPolAssoId function fails to properly validate pointer values before dereferencing them.
The free5GC project is an open-source implementation of the 5G core network, where the PCF component is responsible for policy control decisions. The vulnerability resides in the AM (Access and Mobility) policy handling code, specifically during policy association deletion operations. When a malicious or malformed request is processed, the function may attempt to access memory through an uninitialized or null pointer, causing the application to crash.
Root Cause
The root cause lies in insufficient null pointer validation within the HandleDeletePoliciesPolAssoId function located in internal/sbi/processor/ampolicy.go. The code fails to verify that pointer variables are properly initialized before accessing the memory they reference. This programming error allows an attacker to craft requests that trigger code paths where the null pointer is dereferenced.
Attack Vector
The vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker can send specially crafted HTTP requests to the PCF's Service-Based Interface (SBI) targeting the policy association deletion endpoint. When the vulnerable function processes these requests, it triggers the null pointer dereference, causing the PCF service to crash.
The attack flow involves:
- Identifying a free5GC PCF instance exposed on the network
- Sending a crafted DELETE request to the policies association endpoint
- The HandleDeletePoliciesPolAssoId function processes the request
- Null pointer dereference occurs, crashing the PCF service
- 5G network policy control services become unavailable
For detailed technical information about this vulnerability, refer to the GitHub Issue Report #726 which documents the discovery and impact.
Detection Methods for CVE-2025-66720
Indicators of Compromise
- Unexpected PCF service crashes or restarts in free5GC deployments
- Repeated crash logs in ampolicy.go or the HandleDeletePoliciesPolAssoId function
- Unusual DELETE requests targeting policy association endpoints in SBI traffic
- Service unavailability patterns indicating denial of service attempts
Detection Strategies
- Monitor PCF service health and implement alerting for unexpected restarts
- Analyze SBI traffic logs for anomalous DELETE requests to policy association endpoints
- Deploy application-level logging to capture function-level errors in the PCF component
- Implement network monitoring to detect repeated requests from suspicious sources
Monitoring Recommendations
- Enable detailed logging for the PCF component's SBI processor module
- Configure container or process monitoring to detect crash patterns
- Set up network traffic analysis for the PCF service endpoints
- Implement real-time alerting for service availability degradation
How to Mitigate CVE-2025-66720
Immediate Actions Required
- Review and apply the fix from GitHub Pull Request #57
- Upgrade free5GC PCF to a patched version when available
- Implement network-level access controls to restrict PCF SBI access to authorized components only
- Consider deploying a web application firewall or API gateway to filter malicious requests
Patch Information
A fix has been submitted via GitHub Pull Request #57 in the free5GC PCF repository. Organizations should review this pull request and apply the fix to their deployments. The patch adds proper null pointer validation to the HandleDeletePoliciesPolAssoId function before attempting to dereference pointer variables.
Workarounds
- Restrict network access to the PCF SBI interface using firewall rules
- Implement rate limiting on policy association endpoints to reduce crash frequency from attacks
- Deploy PCF instances behind a reverse proxy with request validation capabilities
- Enable automatic service restart with monitoring to minimize downtime during exploitation attempts
# Example: Restrict PCF SBI access using iptables
# Only allow traffic from authorized NF components (replace IP ranges as needed)
iptables -A INPUT -p tcp --dport 8000 -s 10.100.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
