VYPR

Vendor CVEs

Free5gc

All CVEs

104 total · sorted by risk
  • CVE-2026-33064Mar 20, 2026
    risk 0.00cvss epss 0.00

    Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to procedure panic caused by Nil Pointer Dereference in the /sdm-subscriptions endpoint. A remote attacker can cause the UDM service to panic…

  • CVE-2026-33191Mar 20, 2026
    risk 0.00cvss epss 0.00

    Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to null byte injection in URL path parameters. A remote attacker can inject null bytes (URL-encoded as %00) into the supi path parameter of the…

  • CVE-2026-33063Mar 20, 2026
    risk 0.00cvss epss 0.01

    free5GC is an open source 5G core network. free5GC AUSF prior to version 1.4.2 has is an Improper Null Check vulnerability leading to Denial of Service. All deployments of free5GC v4.0.1 using the AUSF UE authentication service (`/nausf-auth/v1/ue-authentications` endpoint) are…

  • CVE-2026-33062Mar 20, 2026
    risk 0.00cvss epss 0.01

    free5GC is an open source 5G core network. free5GC NRF prior to version 1.4.2 has an Improper Input Validation vulnerability leading to Denial of Service. All deployments of free5GC using the NRF discovery service are affected. The `EncodeGroupId` function attempts to access…

  • CVE-2026-32937Mar 20, 2026
    risk 0.00cvss epss 0.00

    free5GC is an open source 5G core network. free5GC CHF prior to version 1.2.2 has an out-of-bounds slice access vulnerability in the CHF `nchf-convergedcharging` service. A valid authenticated request to PUT `/nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=...` can…

  • CVE-2026-27643Feb 24, 2026
    risk 0.00cvss epss 0.00

    free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, the NEF component reliably leaks internal parsing error details (e.g., invalid character 'n' after top-level…

  • CVE-2026-27642Feb 24, 2026
    risk 0.00cvss epss 0.01

    free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, remote attackers can inject control characters (e.g., %00) into the supi parameter, triggering internal URL…

  • CVE-2026-26025Feb 24, 2026
    risk 0.00cvss epss 0.00

    free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805)…

  • CVE-2026-26024Feb 24, 2026
    risk 0.00cvss epss 0.00

    free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805)…

  • CVE-2025-69253Feb 24, 2026
    risk 0.00cvss epss 0.00

    free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of the User Data Repository are affected by Improper Error Handling with Information Exposure. The NEF component reliably leaks internal parsing error details…

  • CVE-2025-69252Feb 23, 2026
    risk 0.00cvss epss 0.01

    free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 have a NULL Pointer Dereference vulnerability. Remote unauthenticated attackers can trigger a service panic…

  • CVE-2025-69251Feb 23, 2026
    risk 0.00cvss epss 0.00

    free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, remote attackers can inject control characters (e.g., %00) into the ueId parameter, triggering internal URL…

  • CVE-2025-69250Feb 23, 2026
    risk 0.00cvss epss 0.00

    free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, the service reliably leaks detailed internal error messages (e.g., strconv.ParseInt parsing errors) to…

  • CVE-2025-69248Feb 23, 2026
    risk 0.00cvss epss 0.01

    free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of free5GC's AMF service have a Buffer Overflow vulnerability leading to Denial of Service. Remote unauthenticated attackers can crash the AMF service by sending a…

  • CVE-2025-69247Feb 23, 2026
    risk 0.00cvss epss 0.01

    free5GC go-upf is the User Plane Function (UPF) implementation for 5G networks that is part of the free5GC project. Versions prior to 1.2.8 have a Heap-based Buffer Overflow (CWE-122) vulnerability leading to Denial of Service. Remote attackers can crash the UPF network element…

  • CVE-2025-69232Feb 23, 2026
    risk 0.00cvss epss 0.00

    free5GC is an open-source project for 5th generation (5G) mobile core networks. free5GC go-upf versions up to and including 1.2.6, corresponding to free5gc smf up to and including 1.4.0, have an Improper Input Validation and Protocol Compliance vulnerability leading to Denial of…

  • CVE-2025-69208Feb 23, 2026
    risk 0.00cvss epss 0.00

    free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. Versions prior to 1.4.1 contain an Improper Error Handling vulnerability with Information Exposure. All deployments of free5GC using the…

  • CVE-2026-2525Feb 16, 2026
    risk 0.00cvss epss 0.00

    A vulnerability has been found in Free5GC up to 4.1.0. This affects an unknown function of the component PFCP UDP Endpoint. Such manipulation leads to denial of service. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

  • CVE-2025-70121Feb 13, 2026
    risk 0.00cvss epss 0.00

    An array index out of bounds vulnerability in the AMF component of free5GC v4.0.1 allows remote attackers to cause a denial of service via a crafted 5GS Mobile Identity in a NAS Registration Request message. The issue occurs in the GetSUCI method (NAS_MobileIdentity5GS.go) when…

  • CVE-2025-70123Feb 13, 2026
    risk 0.00cvss epss 0.00

    An improper input validation and protocol compliance vulnerability in free5GC v4.0.1 allows remote attackers to cause a denial of service. The UPF incorrectly accepts a malformed PFCP Association Setup Request, violating 3GPP TS 29.244. This places the UPF in an inconsistent…

  • CVE-2025-70122Feb 13, 2026
    risk 0.00cvss epss 0.00

    A heap buffer overflow vulnerability in the UPF component of free5GC v4.0.1 allows remote attackers to cause a denial of service via a crafted PFCP Session Modification Request. The issue occurs in the SDFFilterFields.UnmarshalBinary function (sdf-filter.go) when processing a…

  • CVE-2026-1976Feb 6, 2026
    risk 0.00cvss epss 0.01

    A weakness has been identified in Free5GC up to 4.1.0. Affected is the function SessionDeletionResponse of the component SMF. This manipulation causes null pointer dereference. The attack is possible to be carried out remotely. The exploit has been made available to the public…

  • CVE-2026-1975Feb 6, 2026
    risk 0.00cvss epss 0.01

    A security flaw has been discovered in Free5GC up to 4.1.0. This impacts the function identityTriggerType of the file pfcp_reports.go. The manipulation results in null pointer dereference. The attack can be executed remotely. The exploit has been released to the public and may…

  • CVE-2026-1974Feb 6, 2026
    risk 0.00cvss epss 0.01

    A vulnerability was identified in Free5GC up to 4.1.0. This affects the function ResolveNodeIdToIp of the file internal/sbi/processor/datapath.go of the component SMF. The manipulation leads to denial of service. Remote exploitation of the attack is possible. The exploit is…

  • CVE-2026-1973Feb 6, 2026
    risk 0.00cvss epss 0.01

    A vulnerability was determined in Free5GC up to 4.1.0. The impacted element is the function establishPfcpSession of the component SMF. Executing a manipulation can lead to null pointer dereference. The attack may be launched remotely. The exploit has been publicly disclosed and…

  • CVE-2026-1739Feb 2, 2026
    risk 0.00cvss epss 0.01

    A vulnerability has been found in Free5GC pcf up to 1.4.1. This affects the function HandleCreateSmPolicyRequest of the file internal/sbi/processor/smpolicy.go. The manipulation leads to null pointer dereference. The attack is possible to be carried out remotely. The exploit has…

  • CVE-2026-1684Jan 30, 2026
    risk 0.00cvss epss 0.01

    A vulnerability was found in Free5GC SMF up to 4.1.0. Affected by this issue is the function HandleReports of the file /internal/context/pfcp_reports.go of the component PFCP UDP Endpoint. The manipulation results in denial of service. The attack can be executed remotely. It is…

  • CVE-2026-1683Jan 30, 2026
    risk 0.00cvss epss 0.01

    A vulnerability has been found in Free5GC SMF up to 4.1.0. Affected by this vulnerability is the function HandlePfcpSessionReportRequest of the file internal/pfcp/handler/handler.go of the component PFCP. The manipulation leads to denial of service. Remote exploitation of the…

  • CVE-2026-1682Jan 30, 2026
    risk 0.00cvss epss 0.01

    A flaw has been found in Free5GC SMF up to 4.1.0. Affected is the function HandlePfcpAssociationReleaseRequest of the file internal/pfcp/handler/handler.go of the component PFCP UDP Endpoint. Executing a manipulation can lead to null pointer dereference. The attack may be…

  • CVE-2025-66719Jan 23, 2026
    risk 0.00cvss epss 0.00

    An issue was discovered in Free5gc NRF 1.4.0. In the access-token generation logic of free5GC, the AccessTokenScopeCheck() function in file internal/sbi/processor/access_token.go bypasses all scope validation when the attacker uses a crafted targetNF value. This allows attackers…

  • CVE-2025-66720Jan 23, 2026
    risk 0.00cvss epss 0.00

    Null pointer dereference in free5gc pcf 1.4.0 in file internal/sbi/processor/ampolicy.go in function HandleDeletePoliciesPolAssoId.

  • CVE-2025-65568Dec 18, 2025
    risk 0.00cvss epss 0.00

    A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. After PFCP association, a PFCP Session Establishment Request that includes a CreateFAR with an empty or truncated IPv4 address field is not properly…

  • CVE-2025-65561Dec 18, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in function LocalNode.Sess in free5GC 4.1.0 allowing attackers to cause a denial of service or other unspecified impacts via crafted header Local SEID to the PFCP Session Modification Request.

  • CVE-2025-65565Dec 18, 2025
    risk 0.00cvss epss 0.00

    A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. After PFCP association is established, a PFCP Session Establishment Request that is missing the mandatory F-SEID (CPF-SEID) Information Element is not…

  • CVE-2025-65566Dec 18, 2025
    risk 0.00cvss epss 0.00

    A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. When the UPF receives a PFCP Session Report Response that is missing the mandatory Cause Information Element, the session report handler dereferences a…

  • CVE-2025-65567Dec 18, 2025
    risk 0.00cvss epss 0.00

    A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. After PFCP association, a specially crafted PFCP Session Establishment Request with a CreatePDR that contains a malformed Flow-Description is not…

  • CVE-2025-65562Dec 18, 2025
    risk 0.00cvss epss 0.00

    The free5GC UPF suffers from a lack of bounds checking on the SEID when processing PFCP Session Deletion Requests. An unauthenticated remote attacker can send a request with a very large SEID (e.g., 0xFFFFFFFFFFFFFFFF) that causes an integer conversion/underflow in…

  • CVE-2025-65563Dec 18, 2025
    risk 0.00cvss epss 0.00

    A denial-of-service vulnerability exists in the omec-project UPF (component upf-epc/pfcpiface) up to at least version upf-epc-pfcpiface:2.1.3-dev. When the UPF receives a PFCP Association Setup Request that is missing the mandatory NodeID Information Element, the association…

  • CVE-2025-60632Nov 24, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Npcf_BDTPolicyControl API.

  • CVE-2025-60638Nov 24, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Nnssf_NSSAIAvailability API.

  • CVE-2025-60633Nov 24, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API.

  • CVE-2025-63679Nov 12, 2025
    risk 0.00cvss epss 0.00

    free5gc v4.1.0 and before is vulnerable to Buffer Overflow. When AMF receives an UplinkRANConfigurationTransfer NGAP message from a gNB, the AMF process crashes.

  • CVE-2025-56394Sep 23, 2025
    risk 0.00cvss epss 0.00

    Free5gc 4.0.1 is vulnerable to Buffer Overflow. The AMF incorrectly validates the 5GS mobile identity, resulting in slice reference overflow.

  • CVE-2025-29632May 29, 2025
    risk 0.00cvss epss 0.00

    Buffer Overflow vulnerability in Free5gc v.4.0.0 allows a remote attacker to cause a denial of service via the AMF, NGAP, security.go, handler_generated.go, handleInitialUEMessageMain, DecodePlainNasNoIntegrityCheck, GetSecurityHeaderType components

  • CVE-2025-29339Apr 22, 2025
    risk 0.00cvss epss 0.00

    An issue in UPF in Open5GS UPF versions up to v2.7.2 results an assertion failure vulnerability in PFCP session parameter validation. When processing a PFCP Session Establishment Request with PDN Type=0, the UPF fails to handle the invalid value propagated from SMF (or via…

  • CVE-2023-49391Dec 22, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in free5GC version 3.3.0, allows remote attackers to execute arbitrary code and cause a denial of service (DoS) on AMF component via crafted NGAP message.

  • CVE-2023-47025Nov 16, 2023
    risk 0.00cvss epss 0.00

    An issue in Free5gc v.3.3.0 allows a local attacker to cause a denial of service via the free5gc-compose component.

  • CVE-2023-47347Nov 15, 2023
    risk 0.00cvss epss 0.01

    Buffer Overflow vulnerability in free5gc 3.3.0 allows attackers to cause a denial of service via crafted PFCP messages whose Sequence Number is mutated to overflow bytes.

  • CVE-2023-47345Nov 15, 2023
    risk 0.00cvss epss 0.01

    Buffer Overflow vulnerability in free5gc 3.3.0 allows attackers to cause a denial of service via crafted PFCP message with malformed PFCP Heartbeat message whose Recovery Time Stamp IE length is mutated to zero.

  • CVE-2023-47346Nov 13, 2023
    risk 0.00cvss epss 0.01

    Buffer Overflow vulnerability in free5gc 3.3.0, UPF 1.2.0, and SMF 1.2.0 allows attackers to cause a denial of service via crafted PFCP messages.