NULL Pointer Dereference Vulnerability in free5gc Unified Data Management by free5gc
CVE-2025-69252

6.6MEDIUM

Key Information:

Vendor

Free5gc

Status
Udm
Vendor
CVE Published:
23 February 2026

What is CVE-2025-69252?

The Unified Data Management (UDM) component in free5gc, a pivotal element for 5G mobile core network operations, has a vulnerability that allows remote unauthenticated attackers to exploit a NULL pointer dereference. By sending a maliciously crafted PUT request containing an unexpected ueId, attackers can induce a service panic, resulting in a Denial of Service. This issue affects all deployments of free5gc UDM from version 1.4.1 and earlier. Immediate application of the official patch from the upstream repository is recommended, as no alternative workaround is available at the application level.

Affected Version(s)

udm <= 1.4.1

References

https://github.com/free5gc/free5gc/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/free5gc/free5gc/issues/752
x_refsource_MISC
https://github.com/free5gc/udm/pull/76
x_refsource_MISC

CVSS V4

Score:
6.6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.