CVE-2026-33191
Null Byte Injection in Free5GC UDM Causes DoS Error
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | udm | to 1.4.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-248 | An exception is thrown from a function, but it is not caught. |
| CWE-158 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33191 is a vulnerability in the Unified Data Management (UDM) component of free5GC versions prior to 1.4.2. It involves a null byte injection attack where a remote attacker can insert null bytes (encoded as %00) into the "supi" path parameter of the Nudm_SubscriberDataManagement API.'}, {'type': 'paragraph', 'content': 'This injection causes Go\'s net/url package to fail when parsing the URL, producing an "invalid control character in URL" error and resulting in a 500 Internal Server Error. Instead of properly validating the input and returning a 400 Bad Request, the system fails, which can be exploited to cause denial of service.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can be exploited by remote attackers to cause denial of service (DoS) attacks against the free5GC UDM component. By injecting null bytes into the "supi" parameter, attackers cause the system to fail with a 500 Internal Server Error, disrupting normal service availability.'}, {'type': 'paragraph', 'content': 'There is no direct application-level workaround, so affected systems remain vulnerable until patched. This can lead to service interruptions and potential operational impact for networks using free5GC versions prior to 1.4.2.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring requests to the UDM Nudm_SubscriberDataManagement API for the presence of null byte injections (URL-encoded as %00) in the supi path parameter.'}, {'type': 'paragraph', 'content': 'One way to detect exploitation attempts is to look for HTTP 500 Internal Server Error responses from the UDM service when requests contain %00 in the supi parameter.'}, {'type': 'paragraph', 'content': 'You can use network traffic inspection tools or logs to identify such requests.'}, {'type': 'list_item', 'content': "Use tools like tcpdump or Wireshark to capture traffic and filter for requests containing '%00' in the URL path."}, {'type': 'list_item', 'content': "Example tcpdump command to capture HTTP requests with %00 in the URL path: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '%00'"}, {'type': 'list_item', 'content': 'Check application logs of the UDM service for repeated 500 Internal Server Errors correlated with requests containing %00 in the supi parameter.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade free5GC to version 1.4.2 or later, where this vulnerability has been fixed.
If immediate upgrade is not possible, implement API gateway-level validation to reject any requests containing null bytes (%00) in path parameters before they reach the UDM service.
No direct application-level workaround exists within free5GC versions prior to 1.4.2.