Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44323

CVE-2026-44323: free5GC Core Network DoS Vulnerability

CVE-2026-44323 is a denial of service flaw in free5GC open-source 5G core network caused by a nil-pointer dereference. Attackers can crash the service with authenticated requests. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-44323 Overview

CVE-2026-44323 is a nil-pointer dereference vulnerability in free5GC, an open-source implementation of the 5G core network. The flaw affects the Unified Data Repository (UDR) nudr-dr DELETE handler for AMF subscriptions under EE-subscriptions. An authenticated attacker can trigger a panic with a single crafted request after one preparatory EE-subscription create call. Gin recovery converts the panic into an HTTP 500 response, but the endpoint remains repeatedly panicable, enabling a denial-of-service condition against the UDR network function. The vulnerability is fixed in free5GC 4.2.2.

Critical Impact

An authenticated attacker can repeatedly panic the UDR nudr-dr DELETE handler, degrading availability of 5G core subscription data services.

Affected Products

  • free5GC versions prior to 4.2.2
  • free5GC UDR network function (nudr-dr service)
  • 5G core deployments built on the affected free5GC releases

Discovery Timeline

  • 2026-05-27 - CVE-2026-44323 published to the National Vulnerability Database
  • 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-44323

Vulnerability Analysis

The vulnerability resides in the UDR nudr-dr DELETE handler that processes the path /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions. The handler performs a presence check against UESubsData.EeSubscriptionCollection[subsId] and assigns a 404 problem-details response on the miss path. Execution then continues rather than returning, reaching UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos. Accessing AmfSubscriptionInfos on the missing map entry dereferences a nil pointer and triggers a runtime panic.

Gin's recovery middleware traps the panic and returns HTTP 500 to the caller. The handler remains reachable for repeated panics, so each request continues to consume goroutines and log volume. This issue is classified under CWE-476 Null Pointer Dereference.

Root Cause

The root cause is a missing early return after the not-found branch sets the 404 problem-details response. Control flow continues into code that assumes the map lookup succeeded. Map lookups in Go return the zero value for absent keys, and dereferencing a nested field on that zero value crashes the goroutine.

Attack Vector

Exploitation requires network access to the UDR nudr-dr API and valid service-based interface credentials. The attacker first issues an authenticated EE-subscription create request to set up reachable state. The attacker then sends a DELETE request to the amf-subscriptions path with a subsId value that does not exist in the collection. The handler panics on each such request. See the GitHub Security Advisory GHSA-4rqf-grm6-vf75 for the full technical analysis.

Detection Methods for CVE-2026-44323

Indicators of Compromise

  • Repeated HTTP 500 responses from the UDR nudr-dr DELETE /subscription-data/.../ee-subscriptions/{subsId}/amf-subscriptions endpoint
  • Go runtime panic stack traces in UDR logs referencing EeSubscriptionCollection and AmfSubscriptionInfos
  • Bursts of DELETE requests targeting non-existent subsId values from a single authenticated client

Detection Strategies

  • Alert on Gin recovery log entries containing runtime error: invalid memory address or nil pointer dereference within UDR processes
  • Correlate authenticated EE-subscription create events followed by DELETE attempts against unknown subsId values
  • Track HTTP 500 rate per source identity on UDR service-based interfaces and flag anomalous spikes

Monitoring Recommendations

  • Ingest UDR application logs and 5G service-based interface (SBI) access logs into a centralized analytics platform for query and alerting
  • Monitor process restart counts and goroutine panic counters on UDR pods or hosts
  • Baseline normal nudr-dr DELETE traffic patterns and trigger alerts on deviation in volume or error rate

How to Mitigate CVE-2026-44323

Immediate Actions Required

  • Upgrade free5GC to version 4.2.2, which contains the fix delivered in UDR commit 8a1d3c63be99
  • Audit issued NF service credentials and revoke any that are not strictly required to reach the UDR nudr-dr API
  • Restrict network reachability of the UDR SBI to authorized 5G core network functions only

Patch Information

The fix is included in free5GC 4.2.2. The corresponding UDR change is tracked in Pull Request #60 and applied in commit 8a1d3c63be99. The patch returns immediately after the 404 problem-details branch, preventing the subsequent nil dereference. Additional context is available in GitHub Issue #919.

Workarounds

  • Place a reverse proxy or API gateway in front of the UDR to block DELETE requests to the amf-subscriptions path until the patch is applied
  • Apply rate limiting on the UDR nudr-dr DELETE endpoint per authenticated client to reduce panic frequency
  • Enable automatic process supervision so the UDR restarts cleanly if repeated panics degrade service
bash
# Example: upgrade free5GC to the patched release
git clone --branch v4.2.2 https://github.com/free5gc/free5gc.git
cd free5gc
make all

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne