Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44316

CVE-2026-44316: free5GC Auth Bypass Vulnerability

CVE-2026-44316 is an authentication bypass flaw in free5GC's PCF component that allows unauthenticated requests to trigger nil-pointer panics. This post covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-44316 Overview

CVE-2026-44316 is a nil pointer dereference vulnerability [CWE-476] in free5GC, an open-source implementation of the 5G core network. The flaw resides in the Policy Control Function (PCF) HandleCreateSmPolicyRequest handler for POST /npcf-smpolicycontrol/v1/sm-policies. When a downstream Unified Data Repository (UDR) lookup returns 404 Not Found, the OpenAPI consumer wrapper returns a non-nil error together with a nil response struct. The handler logs the error but continues executing, then dereferences the nil struct and panics. Gin recovery converts the panic into an HTTP 500 response. The issue affects free5GC versions prior to 4.2.2.

Critical Impact

A single unauthenticated POST request containing an unknown Data Network Name (DNN) triggers a panic in the PCF process, breaking session management for legitimate 5G subscribers.

Affected Products

  • free5GC versions prior to 4.2.2
  • free5GC PCF component (Npcf_SMPolicyControl service)
  • free5GC 4.2.1 (also vulnerable due to missing authentication middleware on the route group)

Discovery Timeline

  • 2026-05-27 - CVE-2026-44316 published to NVD
  • 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-44316

Vulnerability Analysis

The vulnerability exists in the free5GC PCF HandleCreateSmPolicyRequest function, which processes session management policy creation requests from the Session Management Function (SMF). The handler performs a downstream OpenAPI consumer call to the UDR to retrieve subscription policy data. When the UDR responds with 404 Not Found (for example, when a request specifies an unknown DNN), the consumer wrapper returns a non-nil error alongside a nil response struct.

The handler logs the OpenAPI error but does not return from the function. Execution continues to a subsequent line that dereferences fields on the nil response struct, triggering a runtime panic. The Gin framework's recovery middleware intercepts the panic and converts it into an HTTP 500 response instead of returning a clean 4xx error. While the PCF process itself continues running, individual policy creation requests fail, disrupting 5G session establishment.

Root Cause

The root cause is improper error handling in the PCF handler. The code treats the OpenAPI consumer's err != nil condition as recoverable and continues execution without validating that the response struct is non-nil. The fix in version 4.2.2 adds proper error handling to return early when the downstream call fails. See GitHub Commit df535f5 for the patch details.

Attack Vector

The attack vector is network-based and requires no authentication in free5GC 4.2.1, because the PCF Npcf_SMPolicyControl route group is mounted without inbound authentication middleware. An attacker with network access to the PCF service endpoint sends a crafted POST request to /npcf-smpolicycontrol/v1/sm-policies containing input that causes the UDR lookup to fail, such as an unknown DNN value. Each such request produces an HTTP 500 response and consumes server resources processing the panic and recovery cycle.

No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-wr8j-6chw-gm6p for technical details.

Detection Methods for CVE-2026-44316

Indicators of Compromise

  • HTTP 500 responses from the PCF endpoint /npcf-smpolicycontrol/v1/sm-policies correlated with POST requests containing anomalous DNN values
  • Gin recovery middleware panic stack traces in PCF logs referencing HandleCreateSmPolicyRequest
  • Repeated UDR 404 Not Found responses preceding PCF panics in 5G core service logs

Detection Strategies

  • Monitor PCF application logs for Go runtime panic messages and nil pointer dereference stack traces
  • Correlate elevated rates of HTTP 500 responses on npcf-smpolicycontrol routes with source IP addresses to identify probing activity
  • Inspect inbound POST request bodies for invalid or unregistered DNN values targeting the SM policies endpoint

Monitoring Recommendations

  • Enable verbose logging on the PCF service to capture OpenAPI consumer errors and downstream UDR response codes
  • Track request rates and 5xx error counts per service endpoint using metrics exposed by the 5G core network functions
  • Alert on unauthenticated POST traffic reaching Npcf_SMPolicyControl routes in deployments running free5GC 4.2.1

How to Mitigate CVE-2026-44316

Immediate Actions Required

  • Upgrade free5GC to version 4.2.2 or later, which contains the fix in the PCF component
  • Restrict network access to the PCF service so only authorized SMF instances can reach the npcf-smpolicycontrol endpoints
  • Audit deployment configurations to confirm authentication middleware is applied to all PCF service routes

Patch Information

The vulnerability is fixed in free5GC version 4.2.2. The corrective change is committed in the free5GC PCF repository under GitHub Commit df535f5 and merged via GitHub Pull Request #62. The patch adds proper error handling so the handler returns when the downstream UDR consumer call fails, preventing the subsequent nil pointer dereference.

Workarounds

  • Deploy a reverse proxy or service mesh in front of the PCF to enforce authentication on Npcf_SMPolicyControl routes when running 4.2.1
  • Apply network segmentation using firewall rules or Kubernetes NetworkPolicies to limit PCF endpoint exposure to trusted 5G core components
  • Implement input validation at an ingress layer to reject requests containing DNN values not present in the subscriber database
bash
# Example: restrict PCF service access to SMF pods only using a Kubernetes NetworkPolicy
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: pcf-allow-smf-only
  namespace: free5gc
spec:
  podSelector:
    matchLabels:
      app: pcf
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: smf
    ports:
    - protocol: TCP
      port: 8000
EOF

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne