Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44324

CVE-2026-44324: free5GC UDR Denial of Service Vulnerability

CVE-2026-44324 is a denial of service vulnerability in free5GC's UDR component that causes panic on authenticated requests with non-existent user IDs. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-44324 Overview

CVE-2026-44324 affects free5GC, an open-source implementation of the 5G core network. The vulnerability resides in the Unified Data Repository (UDR) component, specifically in the nudr-dr DELETE handler for AMF subscription removal. A single authenticated request containing a non-existent ueId triggers a Go nil interface type assertion, causing the handler to panic. Gin's recovery middleware converts the panic to an HTTP 500 response, but the endpoint remains repeatedly exploitable. The flaw is tracked as [CWE-704] (Incorrect Type Conversion or Cast) and is resolved in free5GC version 4.2.2.

Critical Impact

An authenticated attacker can repeatedly panic the UDR service by issuing DELETE requests with arbitrary non-existent ueId values, degrading availability of 5G core network operations.

Affected Products

  • free5GC versions prior to 4.2.2
  • free5GC UDR (Unified Data Repository) component
  • 5G core network deployments using free5GC

Discovery Timeline

  • 2026-05-27 - CVE-2026-44324 published to NVD
  • 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-44324

Vulnerability Analysis

The vulnerability resides in the RemoveAmfSubscriptionsInfoProcedure function within free5GC's UDR processor. When the DELETE handler at /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions receives a request, it attempts to load the corresponding user entry using udrSelf.UESubsCollection.Load(ueId). On a miss, the code correctly sets a 404 USER_NOT_FOUND problem-details response but fails to return from the function. Execution then continues into value.(*udr_context.UESubsData), performing a type assertion on a nil interface. Go raises a runtime panic with interface conversion: interface {} is nil, not *context.UESubsData. Gin's recovery middleware catches the panic and converts it to an HTTP 500 response, but the underlying issue remains exploitable on every subsequent request.

Root Cause

The root cause is a missing early return after handling the user-not-found error path. The original logic continued executing the type assertion regardless of the load result, treating the error path as informational rather than terminal. This is classified as [CWE-704] Incorrect Type Conversion or Cast.

Attack Vector

An authenticated attacker on the service-based interface (SBI) network can send a DELETE request with an arbitrary ueId not present in UESubsCollection. Each request triggers a panic in the UDR worker goroutine. Repeated requests cause sustained service disruption, generate excessive stack-trace logging, and impair availability of subscription data operations across the 5G core.

go
// Vulnerable code path in RemoveAmfSubscriptionsInfoProcedure
// internal/sbi/processor/event_amf_subscription_info_document.go
func (p *Processor) RemoveAmfSubscriptionsInfoProcedure(c *gin.Context, subsId string, ueId string) {
    udrSelf := udr_context.GetSelf()
    value, ok := udrSelf.UESubsCollection.Load(ueId)
    var pd *models.ProblemDetails = nil

    if !ok {
        pd = util.ProblemDetailsNotFound("USER_NOT_FOUND")
        logger.DataRepoLog.Errorf("RemoveAmfSubscriptionsInfoProcedure err: %s", pd.Detail)
        // Missing return - execution continues below
    }

    // Panics when value is nil interface
    UESubsData := value.(*udr_context.UESubsData)
    _, ok = UESubsData.EeSubscriptionCollection[subsId]
}

Source: GitHub Commit 8a1d3c6

Detection Methods for CVE-2026-44324

Indicators of Compromise

  • Repeated HTTP 500 responses from the UDR nudr-dr DELETE endpoint targeting ee-subscriptions/{subsId}/amf-subscriptions
  • Log entries containing panic: interface conversion: interface {} is nil, not *context.UESubsData
  • Stack traces logged by Gin recovery middleware originating from RemoveAmfSubscriptionsInfoProcedure
  • Elevated error counters in DataRepoLog with USER_NOT_FOUND messages followed by panic traces

Detection Strategies

  • Monitor UDR application logs for repeated panic stack traces and runtime.gopanic frames
  • Alert on HTTP 500 response spikes at the nudr-dr service-based interface
  • Correlate authenticated SBI requests carrying unknown or randomized ueId values with subsequent error responses
  • Track per-source request rates against the DELETE amf-subscriptions handler to detect probing

Monitoring Recommendations

  • Ingest free5GC UDR logs into a centralized analytics platform with retention sufficient for incident review
  • Configure dashboards tracking 4xx and 5xx response distributions for SBI endpoints
  • Enable metrics on goroutine panics and runtime errors exposed by the Go process
  • Audit SBI authentication tokens used in failed DELETE requests against expected NF identities

How to Mitigate CVE-2026-44324

Immediate Actions Required

  • Upgrade free5GC to version 4.2.2, which contains the fix for the UDR panic
  • Restrict network access to the UDR nudr-dr interface to authorized 5G core network functions only
  • Rotate or audit SBI client credentials to ensure only trusted NFs hold valid tokens
  • Review UDR logs for prior exploitation attempts before applying the patch

Patch Information

The fix was merged via GitHub Pull Request #60 and is included in free5GC 4.2.2. The patch adds an early return after the USER_NOT_FOUND problem-details response and applies similar guards on the SUBSCRIPTION_NOT_FOUND path. Additional defensive changes downgrade logger.HttpLog.Fatalf to Errorf in the panic recovery handler, preventing program exit on unhandled panics. See the GitHub Security Advisory GHSA-jqfc-gwj5-3w63 for full details.

go
// Patched code with early return
func (p *Processor) RemoveAmfSubscriptionsInfoProcedure(c *gin.Context, subsId string, ueId string) {
    udrSelf := udr_context.GetSelf()
    value, ok := udrSelf.UESubsCollection.Load(ueId)
    var pd *models.ProblemDetails

    if !ok {
        pd = util.ProblemDetailsNotFound("USER_NOT_FOUND")
        logger.DataRepoLog.Errorf("RemoveAmfSubscriptionsInfoProcedure err: %s", pd.Detail)
        c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)
        c.JSON(int(pd.Status), pd)
        return
    }

    UESubsData := value.(*udr_context.UESubsData)
    eeSub, ok := UESubsData.EeSubscriptionCollection[subsId]
    // ...
}

Source: GitHub Commit 8a1d3c6

Workarounds

  • Place a reverse proxy or API gateway in front of the UDR to reject DELETE requests matching the vulnerable path pattern from untrusted sources
  • Apply rate limiting on the nudr-dr DELETE endpoint to reduce panic-induced log flooding
  • Deploy network segmentation isolating UDR instances from any non-essential network functions
  • Run UDR instances under a process supervisor configured for rapid restart if panic recovery degrades
bash
# Verify free5GC UDR version and upgrade
git -C $GOPATH/src/free5gc/udr log --oneline | head -5
git -C $GOPATH/src/free5gc/udr fetch --tags
git -C $GOPATH/src/free5gc/udr checkout v4.2.2
make udr
systemctl restart free5gc-udr

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne