Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33064 is a high-severity vulnerability in the Unified Data Management (UDM) component of free5GC, an open-source 5G core network project. The issue arises from a nil pointer dereference in the DataChangeNotificationProcedure function within notifier.go. When the UDM service receives a specially crafted POST request to the /sdm-subscriptions endpoint containing a malformed URL path with path traversal sequences (../) and a large JSON payload, it attempts to access a nil pointer without proper validation.'}, {'type': 'paragraph', 'content': 'This causes a runtime panic with the error message "invalid memory address or nil pointer dereference," crashing the entire UDM service. The crash results in a denial of service, disrupting UDM functionality until the service is manually restarted. The vulnerability affects free5GC versions prior to 1.4.2 and has been fixed in that version.'}] [1, 4]

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability allows a remote attacker to cause a complete crash of the UDM service by sending a crafted POST request with a malformed URL and payload. This results in a denial of service, disrupting all UDM functionality until the service is restarted.

Since UDM is a critical component in the 5G core network responsible for managing subscriber data, its disruption can lead to service outages or degraded network performance affecting mobile users.

There is no direct application-level workaround, so affected users must apply the patch or upgrade to a fixed version. Alternatively, API gateway filtering can be used to block malicious requests containing path traversal sequences.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for crashes or panics in the UDM service logs, specifically looking for runtime errors indicating nil pointer dereferences with messages like "runtime error: invalid memory address or nil pointer dereference."'}, {'type': 'paragraph', 'content': 'Additionally, detection can involve sending crafted POST requests to the /sdm-subscriptions endpoint with malformed URL paths containing path traversal sequences (../) and large JSON payloads to see if the UDM service crashes or panics.'}, {'type': 'paragraph', 'content': 'A sample command to test this could be a curl POST request similar to the following (as described in reproduction steps):'}, {'type': 'list_item', 'content': 'curl -X POST "http://127.0.0.3:8000/nudm-sdm/v2/../../sdm-subscriptions?shared-data-ids=[...]" -H "Content-Type: application/json" -d \'{...large JSON payload...}\''}, {'type': 'paragraph', 'content': 'Monitoring logs for panic stack traces in the DataChangeNotificationProcedure function in notifier.go is also recommended to detect exploitation attempts.'}] [4, 1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade free5GC to version 1.4.2 or later, where the vulnerability has been fixed.

If upgrading immediately is not possible, implement API gateway-level filtering to block requests containing path traversal sequences (../) targeting the /sdm-subscriptions endpoint.

Restarting the UDM service after a crash will restore functionality temporarily, but this does not prevent further exploitation.

Applying the patch from pull request free5gc/udm#78, which adds proper nil pointer checks and returns HTTP 204 when UE context is missing, is also recommended.

Useful 0 Not Useful 0