CVE-2026-1975 Overview
A null pointer dereference vulnerability has been discovered in Free5GC, an open-source 5G core network implementation. This security flaw affects the identityTriggerType function within the pfcp_reports.go file, allowing remote attackers to cause denial of service conditions. The vulnerability can be exploited remotely without authentication, and exploit code has been publicly released.
Critical Impact
Remote attackers can trigger a null pointer dereference in Free5GC's PFCP (Packet Forwarding Control Protocol) handling, potentially causing service disruption to 5G core network functions.
Affected Products
- Free5GC versions up to and including 4.1.0
- Free5GC SMF (Session Management Function) component
- Systems running vulnerable pfcp_reports.go implementations
Discovery Timeline
- February 6, 2026 - CVE-2026-1975 published to NVD
- February 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-1975
Vulnerability Analysis
This vulnerability is classified as a null pointer dereference (CWE-476) with improper resource shutdown characteristics (CWE-404). The flaw exists in the PFCP reports handling mechanism within Free5GC's Session Management Function. When the identityTriggerType function processes malformed or unexpected input, it fails to properly validate pointer references before use, resulting in a null pointer dereference condition.
The vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker can send specially crafted PFCP messages to trigger the vulnerable code path, causing the affected service to crash. While this primarily impacts availability rather than confidentiality or integrity, disruption to 5G core network components can have significant operational consequences.
Root Cause
The root cause stems from insufficient input validation in the identityTriggerType function located in pfcp_reports.go. The code fails to check whether a pointer is null before dereferencing it, leading to a crash when unexpected or maliciously crafted data is processed. This is a common programming error in Go applications where pointer validation is omitted in error handling paths.
Attack Vector
The attack vector is network-based, allowing remote exploitation. An attacker can target the PFCP interface exposed by Free5GC's SMF component. PFCP is used for communication between the control plane and user plane in 5G networks. By sending malformed PFCP session report requests or usage reports with missing or invalid identity trigger type fields, an attacker can trigger the null pointer dereference.
The vulnerability requires no privileges or user interaction to exploit, making it particularly accessible to remote attackers who can reach the PFCP interface. The exploit has been publicly disclosed, increasing the risk of exploitation in the wild.
Detection Methods for CVE-2026-1975
Indicators of Compromise
- Unexpected crashes or restarts of the Free5GC SMF service
- Core dump files generated by the smf process with null pointer dereference signatures
- Anomalous PFCP traffic patterns targeting port 8805 (default PFCP port)
- Log entries indicating panics or segmentation faults in pfcp_reports.go
Detection Strategies
- Monitor Free5GC SMF process stability and implement alerting on unexpected service restarts
- Implement network intrusion detection rules to identify malformed PFCP messages
- Enable Go panic recovery logging to capture detailed stack traces when crashes occur
- Review PFCP session logs for unusual patterns in identity trigger type fields
Monitoring Recommendations
- Deploy continuous monitoring of Free5GC service health and availability metrics
- Implement log aggregation to correlate crash events with network traffic patterns
- Set up alerts for repeated SMF service failures within short time windows
- Monitor network traffic to PFCP endpoints for anomalous volumes or patterns
How to Mitigate CVE-2026-1975
Immediate Actions Required
- Apply the available patch from the GitHub SMF Pull Request immediately
- Review and restrict network access to PFCP interfaces to trusted sources only
- Implement rate limiting on PFCP endpoints to reduce denial of service impact
- Enable enhanced logging for PFCP message processing to detect exploitation attempts
Patch Information
A patch is available to resolve this vulnerability. The fix has been submitted through GitHub SMF Pull Request #189. Organizations running affected versions of Free5GC should apply this patch as soon as possible. For additional details, refer to the GitHub Free5GC Issue Tracker.
Workarounds
- Restrict network access to PFCP interfaces using firewall rules, limiting connections to trusted network elements only
- Deploy a reverse proxy or network filtering solution to validate PFCP messages before they reach Free5GC
- Implement service monitoring with automatic restart capabilities to minimize downtime from successful attacks
- Consider deploying Free5GC in a containerized environment with restart policies to improve resilience
# Example: Restrict PFCP port access with iptables
# Allow PFCP (port 8805) only from trusted 5G network elements
iptables -A INPUT -p udp --dport 8805 -s <trusted_upf_ip> -j ACCEPT
iptables -A INPUT -p udp --dport 8805 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
