CVE-2026-41135 Overview
CVE-2026-41135 is a memory leak vulnerability affecting the Policy Control Function (PCF) component of free5GC, an open-source project for 5th generation (5G) mobile core networks. This vulnerability allows any unauthenticated attacker with network access to the PCF SBI (Service-Based Interface) to cause uncontrolled memory growth by sending repeated HTTP requests to the OAM endpoint.
The flaw stems from a router.Use() call inside an HTTP handler that registers a new CORS middleware on every incoming request, permanently growing the Gin router's handler chain. This leads to progressive memory exhaustion and eventual Denial of Service of the PCF, preventing all User Equipment (UEs) from obtaining AM and SM policies and blocking 5G session establishment.
Critical Impact
Unauthenticated attackers can trigger memory exhaustion in the free5GC PCF, completely blocking 5G session establishment and policy distribution for all connected devices.
Affected Products
- free5GC versions prior to 1.4.3
- free5GC PCF component versions prior to 1.4.3
Discovery Timeline
- 2026-04-22 - CVE-2026-41135 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-41135
Vulnerability Analysis
This vulnerability is classified as a resource exhaustion issue (CWE-400) that enables Denial of Service attacks against 5G mobile core infrastructure. The PCF is a critical network function responsible for policy control in 5G networks, managing access and mobility policies as well as session management policies for all connected user equipment.
The vulnerability is exploitable remotely over the network without requiring any authentication or user interaction. An attacker can exploit this flaw by repeatedly sending HTTP requests to the OAM (Operations, Administration, and Maintenance) endpoint on the PCF SBI interface, causing memory to grow unbounded until the service crashes.
The impact is significant for 5G network operators using free5GC, as a successful attack results in complete disruption of policy services, preventing new 5G sessions from being established and potentially affecting existing connections that require policy updates.
Root Cause
The root cause is a programming error in the PCF's HTTP router configuration. A router.Use() call is placed inside an HTTP handler function rather than during router initialization. This causes a new CORS middleware to be registered on every incoming request, permanently growing the Gin framework's handler chain.
Each request adds middleware to the chain without any cleanup mechanism, leading to continuous memory growth. Over time, this accumulation exhausts available memory and causes the PCF service to become unresponsive or crash entirely.
Attack Vector
The attack vector is network-based and requires no authentication. An attacker with network access to the PCF SBI interface can exploit this vulnerability by:
- Identifying the PCF's OAM endpoint exposed on the SBI interface
- Sending repeated HTTP requests to the vulnerable endpoint
- Each request triggers the middleware registration bug, consuming additional memory
- Memory grows unbounded until the PCF service crashes or becomes unresponsive
The following patch demonstrates the fix applied to address this vulnerability:
smPolicyRoutes := s.getSmPolicyRoutes()
smPolicyGroup := s.router.Group(factory.PcfSMpolicyCtlResUriPrefix)
+ smRouterAuthorizationCheck := util.NewRouterAuthorizationCheck(models.ServiceName_NPCF_SMPOLICYCONTROL)
+ smPolicyGroup.Use(func(c *gin.Context) {
+ smRouterAuthorizationCheck.Check(c, s.Context())
+ })
applyRoutes(smPolicyGroup, smPolicyRoutes)
amPolicyRoutes := s.getAmPolicyRoutes()
Source: GitHub Commit Details
The patch moves the middleware registration to the proper location during router group initialization and adds authorization checks, ensuring middleware is registered once and authentication is enforced.
Detection Methods for CVE-2026-41135
Indicators of Compromise
- Rapid memory growth in the PCF process without corresponding legitimate traffic increases
- Unusual patterns of HTTP requests targeting the PCF OAM endpoint from single or multiple sources
- PCF service crashes or restarts due to out-of-memory conditions
- Failed 5G session establishment attempts across multiple user equipment
Detection Strategies
- Monitor PCF process memory utilization with alerting thresholds for abnormal growth patterns
- Implement rate limiting and anomaly detection for HTTP requests to the SBI interface
- Track HTTP request patterns to OAM endpoints for repetitive or automated request behavior
- Configure logging for all unauthenticated access attempts to PCF endpoints
Monitoring Recommendations
- Deploy application performance monitoring (APM) tools to track PCF memory consumption trends over time
- Implement network-level traffic analysis for the SBI interface to detect request flooding patterns
- Configure alerts for PCF service restarts or availability degradation
- Monitor 5G session establishment success rates as an indirect indicator of PCF health
How to Mitigate CVE-2026-41135
Immediate Actions Required
- Upgrade free5GC to version 1.4.3 or later, which contains the security patch
- Restrict network access to the PCF SBI interface using firewall rules or network segmentation
- Implement rate limiting on HTTP endpoints exposed by the PCF
- Monitor PCF memory usage and configure automated alerts for abnormal patterns
Patch Information
The vulnerability has been addressed in free5GC version 1.4.3. The fix is available in commit 599803b1b2eb4611e26d5216481ee142bce71a16 on the free5GC PCF repository. Organizations running affected versions should upgrade immediately.
For detailed information about the vulnerability and patch, refer to the GitHub Security Advisory.
Workarounds
- Implement network access controls to restrict access to the PCF SBI interface to trusted network segments only
- Deploy a reverse proxy or API gateway with rate limiting in front of the PCF to mitigate request flooding
- Configure container or process memory limits to prevent system-wide impact from memory exhaustion
- Monitor and restart the PCF service automatically if memory thresholds are exceeded until patching is possible
# Example: Restrict PCF SBI interface access using iptables
# Replace <PCF_SBI_PORT> and <TRUSTED_NETWORK> with actual values
iptables -A INPUT -p tcp --dport <PCF_SBI_PORT> -s <TRUSTED_NETWORK> -j ACCEPT
iptables -A INPUT -p tcp --dport <PCF_SBI_PORT> -j DROP
# Example: Set memory limits for PCF container
# Add to docker-compose.yml or Kubernetes deployment
# deploy:
# resources:
# limits:
# memory: 2G
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
