Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44317

CVE-2026-44317: free5GC Use-After-Free Vulnerability

CVE-2026-44317 is a use-after-free vulnerability in free5GC's PCF handler that causes nil pointer dereference on authenticated requests. This post explains its technical details, affected versions, and mitigation steps.

Published:

CVE-2026-44317 Overview

CVE-2026-44317 is a null pointer dereference vulnerability in free5GC, an open-source implementation of the 5G core network. The flaw resides in the Policy Control Function (PCF) POST /npcf-policyauthorization/v1/app-sessions handler. An authenticated attacker can crash the PCF process by sending a single crafted request that enables traffic-routing feature negotiation while omitting the AfRoutReq field. The bug causes the Go runtime to dereference a nil pointer, resulting in service disruption. The issue affects free5GC versions prior to 4.2.2 and is fixed in 4.2.2.

Critical Impact

An authenticated network-adjacent attacker can trigger a runtime panic in the PCF, disrupting 5G core policy authorization services with a single HTTP request.

Affected Products

  • free5GC versions prior to 4.2.2
  • free5GC PCF component (internal/sbi/processor/policyauthorization.go)
  • 5G core deployments exposing the Npcf_PolicyAuthorization service

Discovery Timeline

  • 2026-05-27 - CVE-2026-44317 published to NVD
  • 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-44317

Vulnerability Analysis

The vulnerability is a null pointer dereference [CWE-476] in the PCF service of free5GC. When the PCF receives a POST /npcf-policyauthorization/v1/app-sessions request with ascReqData.suppFeat == "1", it enters the traffic-routing feature negotiation path. If medComponents entries provide an afAppId but omit the AfRoutReq structure, the create path invokes provisioningOfTrafficRoutingInfo(smPolicy, appID, routeReq, ...) with routeReq == nil.

The function then accesses routeReq.RouteToLocs and other fields without performing a nil check. This triggers a Go runtime error: invalid memory address or nil pointer dereference. The Gin web framework's recovery middleware catches the panic and converts it to an HTTP 500 response, but the goroutine handling the request terminates and the operation fails to complete.

Root Cause

The root cause is missing input validation in provisioningOfTrafficRoutingInfo. The function assumes routeReq is always populated when the feature negotiation flag is set, but the API contract permits clients to send medComponents with an afAppId and no associated AfRoutReq. The handler dereferences pointer fields on the nil structure without guarding against this case.

Attack Vector

An authenticated Application Function (AF) client with network access to the PCF Service Based Interface (SBI) sends a single POST request. The request body sets ascReqData.suppFeat to "1" and supplies medComponents containing an afAppId while omitting AfRoutReq. The handler panics, disrupting policy authorization for that session and impacting service availability.

go
// Patch from internal/sbi/processor/policyauthorization.go
func provisioningOfTrafficRoutingInfo(smPolicy *pcf_context.UeSmPolicyData, appID string,
	routeReq *models.AfRoutingRequirement, fStatus models.FlowStatus,
) *models.PccRule {
+	if routeReq == nil {
+		logger.PolicyAuthLog.Warnf("provisioningOfTrafficRoutingInfo: routeReq is nil for appID[%s], skipping", appID)
+		return util.GetPccRuleByAfAppId(smPolicy.PolicyDecision.PccRules, appID)
+	}
+
	var tcData *models.TrafficControlData

	// TODO : handle temporal or spatial validity

Source: GitHub Commit 508d70b

Detection Methods for CVE-2026-44317

Indicators of Compromise

  • HTTP 500 responses returned by the PCF POST /npcf-policyauthorization/v1/app-sessions endpoint following requests containing suppFeat: "1".
  • Panic stack traces in PCF logs referencing provisioningOfTrafficRoutingInfo and invalid memory address or nil pointer dereference.
  • Gin recovery middleware log entries correlated with policy authorization session creation requests.

Detection Strategies

  • Inspect PCF application logs for repeated runtime panic recoveries on the policy authorization path.
  • Monitor SBI traffic for app-sessions POST requests where medComponents[*].afAppId is set but afRoutReq is absent and suppFeat equals "1".
  • Correlate spikes in HTTP 500 responses from the PCF with downstream session establishment failures.

Monitoring Recommendations

  • Instrument the PCF with metrics that count panics recovered by Gin and alert on non-zero rates.
  • Enable structured logging on all Npcf_PolicyAuthorization handlers to capture request payload schemas.
  • Forward 5G core SBI logs to a centralized analytics platform to baseline normal request shapes and identify malformed inputs.

How to Mitigate CVE-2026-44317

Immediate Actions Required

  • Upgrade free5GC to version 4.2.2 or later, which includes the nil check in provisioningOfTrafficRoutingInfo.
  • Restrict network access to the PCF SBI to trusted Application Functions only, using network policy or service mesh controls.
  • Audit existing AF credentials and rotate any that may have been issued broadly across the 5G core.

Patch Information

The fix is delivered in free5GC 4.2.2 via GitHub Pull Request #65 and applied in commit 508d70b. The patch adds an early nil check on routeReq and falls back to util.GetPccRuleByAfAppId when the routing requirement is absent. Refer to the GitHub Security Advisory GHSA-wwqh-7jm5-gj7w and GitHub Issue #879 for upstream details.

Workarounds

  • Place a validating reverse proxy in front of the PCF that rejects app-sessions requests containing medComponents with afAppId but no afRoutReq when suppFeat is "1".
  • Enforce mutual TLS and strict AF allowlisting on the SBI to limit who can submit policy authorization requests.
  • Deploy PCF replicas behind a load balancer with automatic restart so individual panic events do not exhaust capacity.
bash
# Upgrade free5GC to the patched release
git clone https://github.com/free5gc/free5gc.git
cd free5gc
git checkout v4.2.2
make all

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.