CVE-2025-65562

Description

The free5GC UPF suffers from a lack of bounds checking on the SEID when processing PFCP Session Deletion Requests. An unauthenticated remote attacker can send a request with a very large SEID (e.g., 0xFFFFFFFFFFFFFFFF) that causes an integer conversion/underflow in LocalNode.DeleteSess() / LocalNode.Sess() when a uint64 SEID is converted to int and used in index arithmetic. This leads to a negative index into n.sess and a Go runtime panic, resulting in a denial of service (UPF crash). The issue has been reproduced on free5GC v4.1.0 with crashes observed in the session lookup/deletion path in internal/pfcp/node.go; other versions may also be affected. No authentication is required.

PUBLISHED Reserved 2025-11-18 | Published 2025-12-18 | Updated 2025-12-19 | Assigner mitre

References

github.com/free5gc/free5gc/issues/731 exploit

github.com/free5gc/free5gc/issues/731

cve.org (CVE-2025-65562)

nvd.nist.gov (CVE-2025-65562)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.