CVE-2026-44321 Overview
CVE-2026-44321 affects free5GC, an open-source implementation of the 5G core network. The Session Management Function (SMF) component mounts the UPI management route group without inbound OAuth2 middleware. An unauthenticated attacker can send a single crafted POST request to /upi/v1/upNodesLinks that causes the entire SMF process to terminate. The vulnerability stems from validation failures in UpNodesFromConfiguration() invoking logger.InitLog.Fatalf(...), which exits the process rather than returning an error. The flaw is tracked under [CWE-306] (Missing Authentication for Critical Function) and is fixed in free5GC version 4.2.2.
Critical Impact
A single unauthenticated HTTP POST request crashes the entire SMF process, disrupting 5G session management and denying service to all subscribers attached to the affected core.
Affected Products
- free5GC versions prior to 4.2.2
- free5GC SMF (Session Management Function) component
- 5G core deployments exposing the UPI management endpoint
Discovery Timeline
- 2026-05-27 - CVE-2026-44321 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-44321
Vulnerability Analysis
The free5GC SMF exposes an HTTP route group for UPI (User Plane Interface) management. The route group is mounted without applying the OAuth2 middleware that protects other SMF endpoints. The POST /upi/v1/upNodesLinks handler implements create-or-update logic and accepts attacker-controlled JSON.
The handler passes the deserialized request body directly into UpNodesFromConfiguration(). Several validation paths inside that function call logger.InitLog.Fatalf(...) on failure. Fatalf invokes os.Exit(1), terminating the entire SMF process rather than returning an error to the goroutine handling the request. Container orchestrators observe the SMF container in an Exited (1) state.
Root Cause
Two defects combine to produce the impact. First, the UPI route group is registered without authentication middleware, exposing administrative configuration endpoints to anonymous network clients. Second, configuration validation failures invoke Fatalf in request-handling code paths, treating recoverable input errors as fatal program states.
Attack Vector
A confirmed exploitation path uses the UE-IP-pool overlap check. The attacker submits a JSON payload that adds a UPF whose IP pool overlaps an existing UPF. The overlap validator calls Fatalf, and the SMF process exits. No authentication, user interaction, or prior privilege is required, and the request traverses the network.
// Security patch in internal/sbi/api_upi.go
// return
//}
- upi.UpNodesFromConfiguration(&json)
+ if err := upi.UpNodesFromConfiguration(&json); err != nil {
+ c.Set(sbi.IN_PB_DETAILS_CTX_STR, http.StatusText(int(http.StatusBadRequest)))
+ c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+ return
+ }
upi.LinksFromConfiguration(&json)
for _, upf := range upi.UPFs {
Source: free5GC SMF commit e0974e0
The patch converts InitSmfContext to return an error and rewires the UPI handler to translate validation failures into HTTP 400 responses instead of fatal exits.
Detection Methods for CVE-2026-44321
Indicators of Compromise
- Unexpected SMF container restarts or Exited (1) status reported by docker ps or Kubernetes pod events
- HTTP POST requests to /upi/v1/upNodesLinks originating from non-administrative clients
- Log entries showing Fatalf from UpNodesFromConfiguration followed by SMF process termination
- Loss of session management traffic immediately after a single inbound HTTP request to the SBI port
Detection Strategies
- Monitor the SMF Service-Based Interface (SBI) listener for unauthenticated requests to /upi/v1/* routes
- Correlate SMF process exits with preceding HTTP requests captured in API access logs
- Alert on repeated SMF container restart loops in 5G core orchestration platforms
Monitoring Recommendations
- Enable verbose logging on the SMF SBI and forward logs to a centralized analysis platform
- Track container lifecycle events for all free5GC network functions, especially abnormal exits
- Inspect ingress traffic to the SMF management port and baseline expected source addresses
How to Mitigate CVE-2026-44321
Immediate Actions Required
- Upgrade free5GC to version 4.2.2 or later, which restores authentication on UPI routes and removes Fatalf from validation paths
- Restrict network access to the SMF SBI interface to authorized management hosts using firewall or network policy rules
- Audit deployed free5GC instances for exposed /upi/v1/upNodesLinks endpoints
Patch Information
The fix is delivered in free5GC 4.2.2 and tracked through GitHub Pull Request #203 and commit e0974e0. Additional details are available in the GitHub Security Advisory GHSA-44qj-cghf-9p97 and the original issue report.
Workarounds
- Place the SMF SBI behind a reverse proxy that enforces OAuth2 authentication on /upi/v1/* routes
- Apply Kubernetes NetworkPolicy or equivalent segmentation to block ingress to the UPI management endpoint from untrusted networks
- Disable or remove the UPI management route group if dynamic UPF reconfiguration is not required in the deployment
# Example: restrict ingress to SMF SBI using iptables
iptables -A INPUT -p tcp --dport 29502 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 29502 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
