CVE-2026-44316
PCF Nil-Pointer Dereference in free5GC
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | free5gc | to 4.2.2 (exc) |
| free5gc | free5gc | to 4.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in free5GC, an open-source 5G core network implementation, specifically in versions prior to 4.2.2. The issue occurs in the PCF POST /npcf-smpolicycontrol/v1/sm-policies handler (HandleCreateSmPolicyRequest). When a downstream OpenAPI consumer call (UDR lookup) returns a 404 Not Found error, the consumer wrapper returns an error along with a nil response struct. Instead of properly handling this error, the handler logs the error but continues execution and then dereferences the nil response struct, causing a panic.
This panic is converted by the Gin recovery middleware into an HTTP 500 Internal Server Error response. As a result, a single specially crafted POST request can cause the server to respond with a 500 error instead of a clean 4xx error when the downstream lookup fails. Despite the panic, the PCF process continues running.
Additionally, in version 4.2.1, this endpoint is accessible without an Authorization header because the route group is mounted without inbound authentication middleware, increasing the risk of exploitation. The vulnerability was fixed in version 4.2.2.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to cause the PCF component of the free5GC 5G core network to respond with HTTP 500 errors through a single crafted POST request. This can lead to unexpected server errors and potentially disrupt normal service behavior.
Although the PCF process continues running after the panic, the improper handling of errors and the resulting server errors could be exploited to degrade service quality or cause confusion in error handling.
Furthermore, in version 4.2.1, the lack of authentication on the vulnerable endpoint increases the risk that unauthorized users could trigger this behavior.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP 500 responses from the PCF POST /npcf-smpolicycontrol/v1/sm-policies endpoint when a POST request is made with input that causes the downstream UDR lookup to fail, such as an unknown DNN.
Since the vulnerability causes the handler to panic and return HTTP 500 instead of a clean 4xx error, observing unexpected 500 errors on this endpoint may indicate exploitation attempts.
You can use network monitoring tools or commands like curl to send crafted POST requests to the vulnerable endpoint and check for HTTP 500 responses.
- curl -X POST http://<pcf-ip>:<port>/npcf-smpolicycontrol/v1/sm-policies -d '{"dnn":"unknown-dnn"}' -v
- Monitor logs for HTTP 500 errors on the PCF service related to the sm-policies endpoint.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade free5GC to version 4.2.2 or later, where the issue has been fixed.
Until the upgrade is applied, restrict access to the PCF POST /npcf-smpolicycontrol/v1/sm-policies endpoint, especially since in version 4.2.1 this endpoint is reachable without an Authorization header.
Implement network-level controls such as firewall rules or API gateway protections to limit or block unauthorized POST requests to this endpoint.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability primarily causes a denial of service (availability impact) by returning HTTP 500 errors instead of controlled 4xx responses when a downstream lookup fails. There is no impact on confidentiality or integrity of data.
Since the vulnerability does not expose or compromise sensitive data, it does not directly affect compliance with data protection standards such as GDPR or HIPAA, which focus on confidentiality and integrity of personal or health data.
However, the availability impact could indirectly affect compliance if the service disruption leads to failure in meeting uptime or service availability requirements mandated by certain regulations or internal policies.