CVE-2026-33064 Overview
Free5GC is an open-source Linux Foundation project implementing 5th generation (5G) mobile core networks. A critical Null Pointer Dereference vulnerability exists in versions prior to 1.4.2 within the /sdm-subscriptions endpoint of the UDM (Unified Data Management) service. A remote attacker can exploit this vulnerability to cause a complete service crash by sending specially crafted POST requests containing path traversal sequences and malformed JSON payloads.
Critical Impact
Successful exploitation causes the UDM service to panic and crash with a runtime error, disrupting critical 5G core network functionality until manual recovery by service restart.
Affected Products
- Free5GC UDM versions prior to 1.4.2
- Free5GC 5G Core Network implementations using vulnerable UDM component
Discovery Timeline
- 2026-03-20 - CVE-2026-33064 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33064
Vulnerability Analysis
This vulnerability stems from improper null pointer validation in the DataChangeNotificationProcedure function within notifier.go. When processing POST requests to the /sdm-subscriptions endpoint, the UDM service fails to properly validate memory references before accessing them. The vulnerable code path can be triggered by sending a crafted request containing path traversal sequences (../) combined with a large JSON payload, causing the service to attempt access to an uninitialized memory address.
The vulnerability is classified under CWE-476 (NULL Pointer Dereference) and CWE-478 (Missing Default Case in Multiple Condition Expression). The attack requires no authentication or user interaction, making it exploitable by any network-accessible attacker.
Root Cause
The root cause lies in the DataChangeNotificationProcedure function in notifier.go, which processes incoming subscription data change notifications. The function attempts to access pointer values without first verifying that the pointers have been properly initialized. When malformed URL paths containing path traversal sequences are processed, the internal routing logic can result in nil pointer assignments that are subsequently dereferenced, triggering a Go runtime panic with the error: runtime error: invalid memory address or nil pointer dereference.
Attack Vector
The attack is network-based and requires no privileges or user interaction. An attacker can remotely send a crafted HTTP POST request to the /sdm-subscriptions endpoint with:
- A malformed URL path containing path traversal sequences (../)
- A large JSON payload designed to trigger the vulnerable code path
The security patch introduces proper nil pointer guards and adds a validator import to ensure proper input validation before processing:
// Security patch in internal/sbi/api_httpcallback.go
// Adds validator import for input validation
"github.com/free5gc/openapi/models"
"github.com/free5gc/udm/internal/logger"
"github.com/free5gc/util/metrics/sbi"
+ "github.com/free5gc/util/validator"
)
func (s *Server) getHttpCallBackRoutes() []Route {
Source: GitHub Commit Changes
// Security patch in internal/sbi/processor/notifier.go
// Adds HTTP status handling for nil guard protection
package processor
import (
+ "net/http"
+
"github.com/gin-gonic/gin"
"github.com/free5gc/openapi"
Source: GitHub Commit Changes
Detection Methods for CVE-2026-33064
Indicators of Compromise
- UDM service crashes with runtime error: invalid memory address or nil pointer dereference in logs
- Unusual POST requests to /sdm-subscriptions endpoint containing ../ path traversal sequences
- Large or malformed JSON payloads in requests to the UDM service
- Repeated UDM service restarts without configuration changes
Detection Strategies
- Monitor HTTP access logs for POST requests to /sdm-subscriptions containing path traversal patterns
- Configure alerting for UDM service crashes or unexpected restarts
- Implement Web Application Firewall (WAF) rules to detect and block path traversal attempts
- Enable Go runtime panic logging to capture nil pointer dereference events
Monitoring Recommendations
- Set up real-time monitoring for UDM service health and availability metrics
- Configure log aggregation to capture and alert on runtime panic messages
- Implement network traffic analysis to detect anomalous request patterns to 5G core services
- Deploy SentinelOne agents to monitor for service disruption patterns and suspicious network activity
How to Mitigate CVE-2026-33064
Immediate Actions Required
- Upgrade Free5GC UDM to version 1.4.2 or later immediately
- Review UDM service logs for evidence of exploitation attempts
- Implement network segmentation to restrict access to 5G core services
- Deploy WAF rules to block requests containing path traversal sequences
Patch Information
The vulnerability has been addressed in Free5GC version 1.4.2. The fix introduces proper nil pointer validation in the DataChangeNotificationProcedure function and adds input validation using the validator package. Organizations should apply the patch by upgrading to version 1.4.2 or later.
For detailed patch information, refer to:
Workarounds
- Restrict network access to the UDM service to trusted internal networks only
- Implement a reverse proxy with path validation to filter malicious requests
- Deploy rate limiting on the /sdm-subscriptions endpoint to slow potential exploitation
- Configure automatic service restart with health checks to minimize downtime from crashes
# Configuration example - Restrict UDM service access using iptables
# Allow only trusted 5G core network components to access UDM
iptables -A INPUT -p tcp --dport 29503 -s 10.5.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 29503 -j DROP
# Enable automatic restart with systemd
systemctl enable free5gc-udm
systemctl edit free5gc-udm
# Add: Restart=always and RestartSec=5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
