CVE-2026-44317 Overview
CVE-2026-44317 is a null pointer dereference vulnerability in free5GC, an open-source implementation of the 5G core network. The flaw resides in the Policy Control Function (PCF) POST /npcf-policyauthorization/v1/app-sessions handler. An authenticated attacker can crash the PCF process by sending a single crafted request that enables traffic-routing feature negotiation while omitting the AfRoutReq field. The bug causes the Go runtime to dereference a nil pointer, resulting in service disruption. The issue affects free5GC versions prior to 4.2.2 and is fixed in 4.2.2.
Critical Impact
An authenticated network-adjacent attacker can trigger a runtime panic in the PCF, disrupting 5G core policy authorization services with a single HTTP request.
Affected Products
- free5GC versions prior to 4.2.2
- free5GC PCF component (internal/sbi/processor/policyauthorization.go)
- 5G core deployments exposing the Npcf_PolicyAuthorization service
Discovery Timeline
- 2026-05-27 - CVE-2026-44317 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-44317
Vulnerability Analysis
The vulnerability is a null pointer dereference [CWE-476] in the PCF service of free5GC. When the PCF receives a POST /npcf-policyauthorization/v1/app-sessions request with ascReqData.suppFeat == "1", it enters the traffic-routing feature negotiation path. If medComponents entries provide an afAppId but omit the AfRoutReq structure, the create path invokes provisioningOfTrafficRoutingInfo(smPolicy, appID, routeReq, ...) with routeReq == nil.
The function then accesses routeReq.RouteToLocs and other fields without performing a nil check. This triggers a Go runtime error: invalid memory address or nil pointer dereference. The Gin web framework's recovery middleware catches the panic and converts it to an HTTP 500 response, but the goroutine handling the request terminates and the operation fails to complete.
Root Cause
The root cause is missing input validation in provisioningOfTrafficRoutingInfo. The function assumes routeReq is always populated when the feature negotiation flag is set, but the API contract permits clients to send medComponents with an afAppId and no associated AfRoutReq. The handler dereferences pointer fields on the nil structure without guarding against this case.
Attack Vector
An authenticated Application Function (AF) client with network access to the PCF Service Based Interface (SBI) sends a single POST request. The request body sets ascReqData.suppFeat to "1" and supplies medComponents containing an afAppId while omitting AfRoutReq. The handler panics, disrupting policy authorization for that session and impacting service availability.
// Patch from internal/sbi/processor/policyauthorization.go
func provisioningOfTrafficRoutingInfo(smPolicy *pcf_context.UeSmPolicyData, appID string,
routeReq *models.AfRoutingRequirement, fStatus models.FlowStatus,
) *models.PccRule {
+ if routeReq == nil {
+ logger.PolicyAuthLog.Warnf("provisioningOfTrafficRoutingInfo: routeReq is nil for appID[%s], skipping", appID)
+ return util.GetPccRuleByAfAppId(smPolicy.PolicyDecision.PccRules, appID)
+ }
+
var tcData *models.TrafficControlData
// TODO : handle temporal or spatial validity
Source: GitHub Commit 508d70b
Detection Methods for CVE-2026-44317
Indicators of Compromise
- HTTP 500 responses returned by the PCF POST /npcf-policyauthorization/v1/app-sessions endpoint following requests containing suppFeat: "1".
- Panic stack traces in PCF logs referencing provisioningOfTrafficRoutingInfo and invalid memory address or nil pointer dereference.
- Gin recovery middleware log entries correlated with policy authorization session creation requests.
Detection Strategies
- Inspect PCF application logs for repeated runtime panic recoveries on the policy authorization path.
- Monitor SBI traffic for app-sessions POST requests where medComponents[*].afAppId is set but afRoutReq is absent and suppFeat equals "1".
- Correlate spikes in HTTP 500 responses from the PCF with downstream session establishment failures.
Monitoring Recommendations
- Instrument the PCF with metrics that count panics recovered by Gin and alert on non-zero rates.
- Enable structured logging on all Npcf_PolicyAuthorization handlers to capture request payload schemas.
- Forward 5G core SBI logs to a centralized analytics platform to baseline normal request shapes and identify malformed inputs.
How to Mitigate CVE-2026-44317
Immediate Actions Required
- Upgrade free5GC to version 4.2.2 or later, which includes the nil check in provisioningOfTrafficRoutingInfo.
- Restrict network access to the PCF SBI to trusted Application Functions only, using network policy or service mesh controls.
- Audit existing AF credentials and rotate any that may have been issued broadly across the 5G core.
Patch Information
The fix is delivered in free5GC 4.2.2 via GitHub Pull Request #65 and applied in commit 508d70b. The patch adds an early nil check on routeReq and falls back to util.GetPccRuleByAfAppId when the routing requirement is absent. Refer to the GitHub Security Advisory GHSA-wwqh-7jm5-gj7w and GitHub Issue #879 for upstream details.
Workarounds
- Place a validating reverse proxy in front of the PCF that rejects app-sessions requests containing medComponents with afAppId but no afRoutReq when suppFeat is "1".
- Enforce mutual TLS and strict AF allowlisting on the SBI to limit who can submit policy authorization requests.
- Deploy PCF replicas behind a load balancer with automatic restart so individual panic events do not exhaust capacity.
# Upgrade free5GC to the patched release
git clone https://github.com/free5gc/free5gc.git
cd free5gc
git checkout v4.2.2
make all
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

