The free5GC UPF suffers from a lack of bounds checking on the SEID when processing PFCP Session Deletion Requests. An unauthenticated remote attacker can send a request with a very large SEID (e.g., 0xFFFFFFFFFFFFFFFF) that causes an integer conversion/underflow in LocalNode.DeleteSess() / LocalNode.Sess() when a uint64 SEID is converted to int and used in index arithmetic. This leads to a negative index into n.sess and a Go runtime panic, resulting in a denial of service (UPF crash). The issue has been reproduced on free5GC v4.1.0 with crashes observed in the session lookup/deletion path in internal/pfcp/node.go; other versions may also be affected. No authentication is required.
References
| Link | Resource |
|---|---|
| https://github.com/free5gc/free5gc/issues/731 | Exploit Issue Tracking Third Party Advisory |
| https://github.com/free5gc/free5gc/issues/731 | Exploit Issue Tracking Third Party Advisory |
Configurations
History
07 Jan 2026, 21:01
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Free5gc free5gc
Free5gc |
|
| CPE | cpe:2.3:a:free5gc:free5gc:4.1.0:*:*:*:*:*:*:* | |
| References | () https://github.com/free5gc/free5gc/issues/731 - Exploit, Issue Tracking, Third Party Advisory |
19 Dec 2025, 18:15
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/free5gc/free5gc/issues/731 - | |
| CWE | CWE-129 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
18 Dec 2025, 19:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-12-18 19:16
Updated : 2026-01-07 21:01
NVD link : CVE-2025-65562
Mitre link : CVE-2025-65562
CVE.ORG link : CVE-2025-65562
JSON object : View
Products Affected
free5gc
- free5gc
CWE
CWE-129
Improper Validation of Array Index