CVE-2026-27642
Received Received - Intake
Control Character Injection in free5gc UDM Causes Info Disclosure

Publication date: 2026-02-24

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, remote attackers can inject control characters (e.g., %00) into the supi parameter, triggering internal URL parsing errors (net/url: invalid control character). This exposes system-level error details and can be used for service fingerprinting. All deployments of free5GC using the UDM Nudm_UEAU service may be affected. free5gc/udm pull request 75 contains a fix for the issue. No direct workaround is available at the application level. Applying the official patch is recommended.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-25
Generated
2026-05-07
AI Q&A
2026-02-24
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27642
EUVD
EUVD-2026-7463
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
free5gc udm to 1.4.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-27642 is an Improper Input Validation vulnerability in the Unified Data Management (UDM) component of free5GC, an open-source 5G mobile core network project. Specifically, versions up to 1.4.1 allow remote attackers to inject control characters, such as the null byte (%00), into the "supi" parameter of the Nudm_UEAU service.'}, {'type': 'paragraph', 'content': 'This injection causes internal URL parsing errors due to invalid control characters, which leads to the exposure of system-level error details. These details can be exploited for service fingerprinting, potentially revealing information about the system.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the UDM incorrectly treats malformed input as a server fault, returning HTTP 500 Internal Server Error responses instead of properly validating input and returning client error responses.'}, {'type': 'paragraph', 'content': 'A patch has been implemented that enforces strict validation of the SUPI and SUCI formats and checks for mandatory information elements, preventing malformed requests from causing server errors.'}] [1, 3, 4]


How can this vulnerability impact me? :

This vulnerability can impact you by exposing internal system error details through improper handling of malformed input, which can be used by attackers for service fingerprinting and reconnaissance.

Additionally, the improper input validation causes the system to respond with HTTP 500 Internal Server Errors instead of appropriate client error responses, potentially leading to denial of service or instability in the UDM component.

Since the vulnerability affects all deployments of free5GC using the UDM Nudm_UEAU service up to version 1.4.1, any affected system may be vulnerable to remote attacks that exploit this flaw.

There is no direct application-level workaround, so applying the official patch or upgrading to a fixed version is recommended to mitigate these impacts.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending specially crafted POST requests to the Nudm_UEAU API endpoint of the free5GC UDM component containing control characters such as null bytes (%00) in the supi parameter.'}, {'type': 'paragraph', 'content': 'If the system is vulnerable, it will respond with HTTP 500 Internal Server Error responses and logs will show URL parsing errors related to invalid control characters.'}, {'type': 'paragraph', 'content': 'A practical detection method is to perform fuzz testing or manual HTTP POST requests with invalid control characters in the supi parameter and observe if the server returns 500 errors instead of 400 Bad Request.'}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability: curl -X POST \'http://<free5gc-udm-ip>:8000/nudm-ueau-ue-auth/v1/sessions\' -d \'{"supi":"imsi%00"}\' -H \'Content-Type: application/json\''}, {'type': 'list_item', 'content': "Check server logs for errors indicating 'net/url: invalid control character' or similar URL parsing errors."}] [4]


What immediate steps should I take to mitigate this vulnerability?

There is no direct application-level workaround available for this vulnerability.

The recommended immediate mitigation is to apply the official patch that fixes input validation in the free5GC UDM component.

Specifically, upgrade free5GC to a version that includes the fix merged in pull request #75, which enforces strict validation of the supi parameter and other mandatory fields, preventing invalid inputs from causing server errors.

Until the patch is applied, monitor and block suspicious requests containing control characters in the supi parameter at the network or application firewall level to reduce exposure.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart