CVE-2026-1739

5.3 MEDIUM
Denial of Service

📋 TL;DR

A null pointer dereference vulnerability in Free5GC's Policy Control Function (PCF) allows remote attackers to cause denial of service by crashing the service. This affects all deployments using Free5GC PCF versions up to 1.4.1. The vulnerability is in the SM policy request handling function and can be exploited without authentication.

💻 Affected Systems

Products:
  • Free5GC Policy Control Function (PCF)
Versions: up to and including 1.4.1
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments using vulnerable versions are affected regardless of configuration.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of the PCF component, potentially affecting 5G core network functionality and causing service outages for mobile users.

🟠

Likely Case

Denial of service affecting the PCF service, requiring restart of the component to restore functionality.

🟢

If Mitigated

Service interruption limited to the affected PCF instance if load balancing and redundancy are properly configured.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly disclosed in GitHub issues and the vulnerability is remotely exploitable without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit df535f5524314620715e842baf9723efbeb481a7

Vendor Advisory: https://github.com/free5gc/free5gc/issues/803

Restart Required: Yes

Instructions:

1. Update to the latest Free5GC PCF version or apply commit df535f5524314620715e842baf9723efbeb481a7
2. Rebuild the PCF component
3. Restart the PCF service

🔧 Temporary Workarounds

Network segmentation

all

Restrict network access to PCF service to only trusted internal networks

Load balancer protection

all

Configure load balancers to filter malformed SM policy requests

🧯 If You Can't Patch

  • Implement network segmentation to restrict access to PCF service
  • Deploy redundant PCF instances with automatic failover to minimize service disruption

🔍 How to Verify

Check if Vulnerable:

Check if running Free5GC PCF version 1.4.1 or earlier by examining version files or build metadata

Check Version:

grep -r "version" /path/to/free5gc/pcf/ || check build configuration files

Verify Fix Applied:

Verify the commit hash includes df535f5524314620715e842baf9723efbeb481a7 or check for updated version after 1.4.1

📡 Detection & Monitoring

Log Indicators:

  • PCF service crashes
  • Null pointer exception in smpolicy.go
  • Unexpected service restarts

Network Indicators:

  • Malformed SM policy requests to PCF service
  • Unusual traffic patterns to PCF endpoints

SIEM Query:

source="pcf.log" AND ("panic" OR "null pointer" OR "HandleCreateSmPolicyRequest")

📊 Metadata

CVE ID: CVE-2026-1739
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-404
Published: February 2, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This