Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27642 is an Improper Input Validation vulnerability in the Unified Data Management (UDM) component of free5GC, an open-source 5G mobile core network project. Specifically, versions up to 1.4.1 allow remote attackers to inject control characters, such as the null byte (%00), into the "supi" parameter of the Nudm_UEAU service.'}, {'type': 'paragraph', 'content': 'This injection causes internal URL parsing errors due to invalid control characters, which leads to the exposure of system-level error details. These details can be exploited for service fingerprinting, potentially revealing information about the system.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the UDM incorrectly treats malformed input as a server fault, returning HTTP 500 Internal Server Error responses instead of properly validating input and returning client error responses.'}, {'type': 'paragraph', 'content': 'A patch has been implemented that enforces strict validation of the SUPI and SUCI formats and checks for mandatory information elements, preventing malformed requests from causing server errors.'}] [1, 3, 4]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by exposing internal system error details through improper handling of malformed input, which can be used by attackers for service fingerprinting and reconnaissance.

Additionally, the improper input validation causes the system to respond with HTTP 500 Internal Server Errors instead of appropriate client error responses, potentially leading to denial of service or instability in the UDM component.

Since the vulnerability affects all deployments of free5GC using the UDM Nudm_UEAU service up to version 1.4.1, any affected system may be vulnerable to remote attacks that exploit this flaw.

There is no direct application-level workaround, so applying the official patch or upgrading to a fixed version is recommended to mitigate these impacts.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending specially crafted POST requests to the Nudm_UEAU API endpoint of the free5GC UDM component containing control characters such as null bytes (%00) in the supi parameter.'}, {'type': 'paragraph', 'content': 'If the system is vulnerable, it will respond with HTTP 500 Internal Server Error responses and logs will show URL parsing errors related to invalid control characters.'}, {'type': 'paragraph', 'content': 'A practical detection method is to perform fuzz testing or manual HTTP POST requests with invalid control characters in the supi parameter and observe if the server returns 500 errors instead of 400 Bad Request.'}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability: curl -X POST \'http://<free5gc-udm-ip>:8000/nudm-ueau-ue-auth/v1/sessions\' -d \'{"supi":"imsi%00"}\' -H \'Content-Type: application/json\''}, {'type': 'list_item', 'content': "Check server logs for errors indicating 'net/url: invalid control character' or similar URL parsing errors."}] [4]

Useful 0 Not Useful 0

Mitigation Strategies

There is no direct application-level workaround available for this vulnerability.

The recommended immediate mitigation is to apply the official patch that fixes input validation in the free5GC UDM component.

Specifically, upgrade free5GC to a version that includes the fix merged in pull request #75, which enforces strict validation of the supi parameter and other mandatory fields, preventing invalid inputs from causing server errors.

Until the patch is applied, monitor and block suspicious requests containing control characters in the supi parameter at the network or application firewall level to reduce exposure.

Useful 0 Not Useful 0