Null Pointer Dereference in Free5GC PCF by Free5GC
CVE-2026-1739

6.9MEDIUM

Key Information:

Vendor: Free5gc
Status: Pcf
Vendor: CVE Published:; 2 February 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-1739?

A vulnerability exists in the Free5GC PCF affecting versions up to 1.4.1, where a null pointer dereference can occur within the HandleCreateSmPolicyRequest function of the smpolicy.go file. This flaw can be exploited remotely, potentially leading to denial of service. Users are urged to apply the available patch to mitigate the risk associated with this vulnerability, as it has been publicly disclosed and could be actively targeted by attackers.

Affected Version(s)

pcf 1.4.0

pcf 1.4.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-1739 - Proof of Concept

References

https://vuldb.com/?id.343638

vdb-entrytechnical-description

https://vuldb.com/?ctiid.343638

signaturepermissions-required

https://vuldb.com/?submit.741194

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Feb 2, 2026
👾
Exploit known to exist
Feb 2, 2026
Vulnerability published
Feb 2, 2026
Vulnerability Reserved
Feb 1, 2026

Credit

ZiyuLin (VulDB User)

CVE-2026-1739 Data

JSON

Free5gc

Badges

What is CVE-2026-1739?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit