Title: free5gc SMF v4.1.0 Denial of Service Description: - The free5gc SMF can be crashed remotely by a rogue/malicious UPF that replies to a PFCP SessionEstablishmentRequest with a SessionEstablishmentResponse that omits the mandatory Cause IE. - This leads to a Denial of Service (DoS) due to dereferencing a nil pointer when handling the response. Credit: Ziyu Lin, Xiaofeng Wang, Wei Dong (Nanyang Technological University) CVSS3.1 Score: 7.5 CVSS3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H PoC Details: - Implements a rogue UPF PFCP server that sends a crafted SessionEstablishmentResponse without the Cause IE, causing the SMF to crash. - This reliably triggers the crash when the SMF processes the response. Reproduction Steps: - Start the fake UPF mode. - Code snippets are provided for the PoC, indicating how to trigger the vulnerability.