CVE-2026-44322
7.5 HIGHfree5GC is an open-source implementation of the 5G core network
Published: 2026-05-27 · Last updated: 2026-05-28
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-476, CWE-754
Affected products
| Vendor | Product |
|---|---|
| free5gc | free5gc |
Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil *ProblemDetails. The handler's errPfdData != nil branch builds its own problemDetailsErr correctly, but immediately after it reads problemDetails.Cause (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into HTTP 500, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing. This vulnerability is fixed in 4.2.2.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44322
- [Exploit reference]https://github.com/free5gc/free5gc/issues/925
- [Vendor advisory]https://github.com/free5gc/free5gc/security/advisories/GHSA-j59f-x285-69jx
- [Patch]https://github.com/free5gc/nef/commit/72a47f3fab4dffbd227f8d92c5f69dca93b610cb
- [Patch]https://github.com/free5gc/nef/pull/22
- [Vendor advisory]https://github.com/free5gc/free5gc/security/advisories/GHSA-j59f-x285-69jx
Related CVEs
Same vendor
- CVE-2026-44330 — free5GC is an open-source implementation of the 5G core network (10.0 CRITICAL)
- CVE-2026-44329 — free5GC is an open-source implementation of the 5G core network (10.0 CRITICAL)
- CVE-2026-44328 — free5GC is an open-source implementation of the 5G core network (8.2 HIGH)
- CVE-2026-44327 — free5GC is an open-source implementation of the 5G core network (10.0 CRITICAL)
- CVE-2026-44326 — free5GC is an open-source implementation of the 5G core network (9.4 CRITICAL)
Same CWE
- CVE-2026-12329 — Memory safety bug fixed in Thunderbird ESR 140.12 (5.3 MEDIUM)
- CVE-2025-70102 — A NULL pointer dereference occurs in Roy Marples NetworkConfiguration/dhcpcd 10.3.0 while parsing configuration options (6.3 MEDIUM)
- CVE-2025-55663 — A segmentation violation in the Track_SetStreamDescriptor function (isomedia/track.c) of GPAC MP4Box v2.4 allows attackers to cause a Den... (5.5 MEDIUM)
- CVE-2025-55649 — A NULL pointer dereference in the gf_media_map_esd function (media_tools/isom_tools.c) of GPAC MP4Box v2.4 allows attackers to cause a De... (5.5 MEDIUM)
- CVE-2025-55643 — A NULL pointer dereference in the TrackWriter handling component (filters/mux_isom.c) of GPAC MP4Box v2.4 allows attackers to cause a Den... (5.5 MEDIUM)