Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-1976

CVE-2026-1976: Free5gc Free5gc DoS Vulnerability

CVE-2026-1976 is a denial of service flaw in Free5gc Free5gc caused by null pointer dereference in the SMF component. Attackers can exploit this remotely to disrupt services. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-1976 Overview

A null pointer dereference vulnerability has been identified in Free5GC, an open-source 5G Core Network implementation, affecting versions up to and including 4.1.0. The vulnerability exists within the SessionDeletionResponse function of the Session Management Function (SMF) component. When exploited, this weakness causes a null pointer dereference condition that can be triggered remotely over the network, potentially leading to denial of service conditions affecting 5G network operations.

Critical Impact

Remote attackers can exploit this vulnerability to crash the SMF component, disrupting 5G session management and affecting network availability for connected devices and services.

Affected Products

  • Free5GC versions up to and including 4.1.0
  • Free5GC SMF (Session Management Function) component
  • 5G Core Network deployments utilizing vulnerable Free5GC versions

Discovery Timeline

  • February 6, 2026 - CVE-2026-1976 published to NVD
  • February 9, 2026 - Last updated in NVD database

Technical Details for CVE-2026-1976

Vulnerability Analysis

This vulnerability is classified as a Null Pointer Dereference (CWE-476) combined with Improper Resource Shutdown or Release (CWE-404). The flaw resides in the SMF component's handling of session deletion responses within the Free5GC 5G core network implementation.

The SMF is a critical network function in 5G architecture responsible for session management, IP address allocation, and policy enforcement. When the SessionDeletionResponse function processes certain malformed or unexpected input during PDU session teardown operations, it fails to properly validate pointer references before dereferencing them. This results in the application attempting to access memory at a null address, causing an immediate crash.

The vulnerability can be exploited remotely without authentication, as the affected function processes network-facing requests. However, the impact is limited to availability—there is no evidence of data confidentiality or integrity compromise.

Root Cause

The root cause stems from insufficient null pointer validation in the SessionDeletionResponse function within the SMF component. When processing session deletion operations, the code fails to verify that expected data structures and object references are properly initialized before attempting to access their members. This missing defensive check allows specially crafted network requests to trigger the null pointer dereference condition.

Attack Vector

The attack can be initiated remotely over the network without requiring authentication or user interaction. An attacker with network access to the Free5GC SMF component can send malicious session deletion requests designed to trigger the vulnerable code path. The exploitation requires no special privileges and can be performed with low attack complexity.

The exploit technique involves crafting network messages that cause the SessionDeletionResponse function to operate on uninitialized or null pointer references. While an exploit has been reported as publicly available, successful exploitation results in denial of service through service crash rather than code execution.

Detailed technical information about the vulnerability can be found in the GitHub issue tracker and the associated SMF pull request containing the fix.

Detection Methods for CVE-2026-1976

Indicators of Compromise

  • Unexpected SMF process crashes or restarts in Free5GC deployments
  • Segmentation fault errors in SMF component logs related to session deletion operations
  • Abnormal session deletion request patterns from unauthorized or unexpected sources
  • Service disruption affecting PDU session management in the 5G core network

Detection Strategies

  • Monitor Free5GC SMF process stability and implement alerting on unexpected restarts or crashes
  • Implement network traffic analysis to detect anomalous session deletion request patterns targeting the SMF
  • Deploy application-level logging to capture detailed information about session deletion operations and failures
  • Use intrusion detection systems to identify known attack signatures associated with this vulnerability

Monitoring Recommendations

  • Enable comprehensive logging for the SMF component, particularly around session management operations
  • Implement process monitoring and automatic restart capabilities with crash notification
  • Monitor network traffic to the SMF for unusual request volumes or malformed packets
  • Establish baseline metrics for session deletion operations to detect anomalous activity

How to Mitigate CVE-2026-1976

Immediate Actions Required

  • Upgrade Free5GC to a patched version that addresses the null pointer dereference in the SMF component
  • Review the SMF pull request #189 for patch details and apply the fix
  • Implement network segmentation to limit access to the SMF component from untrusted networks
  • Enable process monitoring and automatic restart capabilities to minimize service disruption

Patch Information

A patch addressing this vulnerability is available through the Free5GC project. The fix is documented in the SMF component pull request #189 on GitHub. Organizations should update to the latest Free5GC release that incorporates this security fix. Additional details about the vulnerability and remediation are available in the GitHub issue #817.

Workarounds

  • Restrict network access to the SMF component using firewall rules to allow only trusted sources
  • Implement rate limiting on session management API endpoints to reduce the impact of potential exploit attempts
  • Deploy a reverse proxy or API gateway in front of the SMF to filter and validate incoming requests
  • Monitor and alert on SMF crashes to enable rapid incident response
bash
# Example: Restrict SMF access using iptables
# Allow only trusted management network (adjust IP ranges as needed)
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne