CVE-2026-1974 Overview
A denial of service vulnerability has been identified in Free5GC, an open-source implementation of the 5G Core network. This vulnerability affects the ResolveNodeIdToIp function within the file internal/sbi/processor/datapath.go of the SMF (Session Management Function) component. The flaw allows remote attackers to manipulate input in a way that causes improper resource release, leading to service disruption.
Critical Impact
Remote attackers can exploit this vulnerability to cause denial of service conditions in Free5GC deployments, potentially disrupting 5G core network operations without authentication.
Affected Products
- Free5GC versions up to 4.1.0
- Free5GC SMF component (internal/sbi/processor/datapath.go)
- 5G Core network deployments using vulnerable Free5GC versions
Discovery Timeline
- February 6, 2026 - CVE-2026-1974 published to NVD
- February 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-1974
Vulnerability Analysis
This vulnerability is classified under CWE-404 (Improper Resource Shutdown or Release). The flaw resides in the SMF component's ResolveNodeIdToIp function, which is responsible for translating node identifiers to IP addresses within the 5G session management workflow. When specially crafted input is processed by this function, the component fails to properly manage system resources, resulting in a denial of service condition.
The SMF (Session Management Function) is a critical component in the 5G Core architecture, responsible for session establishment, modification, and release. Disruption of this component can have cascading effects on the entire 5G network's ability to manage user sessions and data plane connectivity.
Root Cause
The root cause of this vulnerability is improper resource shutdown or release (CWE-404) in the ResolveNodeIdToIp function. When processing certain node ID values, the function fails to properly release or clean up allocated resources, which can be exploited by an attacker to exhaust system resources or cause the service to become unresponsive. The vulnerability exists in the data path processing logic within internal/sbi/processor/datapath.go.
Attack Vector
The attack can be executed remotely over the network without requiring authentication or user interaction. An attacker can send malicious requests to the SMF component that trigger the vulnerable ResolveNodeIdToIp function. The exploit has been publicly disclosed, and technical details are available in GitHub Free5GC Issue #816.
The vulnerability manifests during node ID resolution within the SMF's session management processing. Technical details and discussion of the exploitation mechanism can be found in the vendor's issue tracker. A patch addressing this issue has been proposed in SMF Pull Request #189.
Detection Methods for CVE-2026-1974
Indicators of Compromise
- Unexpected crashes or restarts of the Free5GC SMF service
- Abnormal resource consumption (memory or CPU) in the SMF component
- Failed session establishment attempts logged by the SMF
- Unusual patterns in incoming SBI (Service-Based Interface) requests targeting the SMF
Detection Strategies
- Monitor Free5GC SMF logs for errors related to ResolveNodeIdToIp function processing
- Implement network traffic analysis to detect malformed or excessive requests to the SMF component
- Configure alerting for SMF service availability and response time degradation
- Deploy intrusion detection rules targeting abnormal 5G SBI traffic patterns
Monitoring Recommendations
- Enable detailed logging for the SMF component's data path processing
- Implement health checks for Free5GC SMF service availability
- Monitor system resource utilization on hosts running Free5GC components
- Track session establishment success rates for anomaly detection
How to Mitigate CVE-2026-1974
Immediate Actions Required
- Upgrade Free5GC to a patched version when available
- Review and apply the patch from SMF Pull Request #189
- Implement network segmentation to limit exposure of SMF endpoints
- Deploy rate limiting on SBI interfaces to reduce exploitation risk
Patch Information
A patch has been proposed to address this vulnerability. Administrators should monitor the Free5GC GitHub repository for official releases containing the fix. The recommended remediation is to apply the patch from SMF Pull Request #189 which addresses the improper resource handling in the ResolveNodeIdToIp function. Additional technical details are available in VulDB entry #344496.
Workarounds
- Restrict network access to SMF SBI interfaces to trusted sources only
- Implement firewall rules to filter potentially malicious requests
- Deploy a reverse proxy with request validation in front of Free5GC services
- Consider running Free5GC SMF in a containerized environment with resource limits
# Configuration example - Restrict SMF access via iptables
# Allow only trusted network ranges to access SMF service
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
# Set resource limits for SMF container deployment
# docker run --memory=2g --cpus=1 free5gc/smf:latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
