CVE-2026-44318
Analyzed Analyzed - Analysis Complete
Race Condition in free5GC BSF Component

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's BSF PUT /nbsf-management/v1/subscriptions/{subId} handler has an unsynchronized write on the global Subscriptions map. The handler first reads the map under RLock() via BSFContext.GetSubscription(subId), but if the subscription does not exist, ReplaceIndividualSubcription() writes back to the same map directly without taking the mutex (bsfContext.BsfSelf.Subscriptions[subId] = subscription). Under concurrent authenticated PUT load, one goroutine can read while another writes the map, which causes the Go runtime to abort the process with fatal error: concurrent map read and map write (Go runtime panics that come from concurrent map access bypass recover() and terminate the process). The BSF container exits with code 2 -- the entire BSF SBI surface goes down until restart. This vulnerability is fixed in 4.2.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44318
EUVD
EUVD-2026-32567
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
free5gc free5gc to 4.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
CWE-820 The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability impacts the availability of the free5GC BSF service by causing the BSF container to crash and exit, resulting in a denial-of-service condition until the service is restarted.

There is no indication from the provided information that this vulnerability affects confidentiality or integrity of data, nor does it mention any direct impact on compliance with standards such as GDPR or HIPAA.

Since the vulnerability requires authenticated access and only causes service disruption without data leakage or modification, its compliance impact is limited to availability concerns.

Impact Analysis

The impact of this vulnerability is that under concurrent authenticated PUT requests, the BSF component of free5GC can crash due to a runtime panic caused by concurrent map access. This results in the BSF container exiting and the entire BSF SBI surface becoming unavailable until the service is restarted. Essentially, this leads to a denial of service (DoS) condition affecting the 5G core network functionality.

Executive Summary

This vulnerability exists in free5GC, an open-source 5G core network implementation, specifically in versions prior to 4.2.2. The issue is in the BSF PUT /nbsf-management/v1/subscriptions/{subId} handler, which performs an unsynchronized write operation on a global Subscriptions map. While the handler reads the map under a read lock, if a subscription does not exist, it writes to the map without acquiring the necessary mutex lock. This unsynchronized concurrent access can cause the Go runtime to panic due to concurrent map read and write operations, leading to the BSF container crashing and exiting with code 2.

Mitigation Strategies

The vulnerability is fixed in free5GC version 4.2.2. Immediate mitigation involves upgrading the free5GC BSF component to version 4.2.2 or later.

Until the upgrade can be performed, consider restarting the BSF container if it crashes due to this issue, as the BSF SBI surface goes down until restart.

Detection Guidance

This vulnerability can be detected by observing the BSF (Binding Support Function) process crashes with the Go runtime fatal error: "concurrent map read and map write." The BSF container exits with code 2, causing the BSF SBI surface to go down until it is restarted.

To detect the vulnerability on your system, you can monitor the BSF logs for the specific Go runtime panic message and container exit codes.

Additionally, you can attempt to reproduce the issue by sending concurrent authenticated PUT requests to the endpoint /nbsf-management/v1/subscriptions/{subId} with fresh subscription IDs that do not exist, which triggers the unsynchronized map write and causes the crash.

Suggested commands to detect or reproduce the issue include:

  • Use curl or a similar HTTP client to send concurrent PUT requests with valid OAuth2 tokens to the vulnerable endpoint, for example:
  • curl -X PUT -H "Authorization: Bearer <valid_token>" -d '{"subscriptionData": ...}' https://<bsf-host>/nbsf-management/v1/subscriptions/<nonexistent_subId>
  • Run multiple such requests in parallel (e.g., using a shell loop or a tool like GNU parallel) to simulate concurrent load.
  • Monitor BSF container logs for the Go runtime panic message:
  • docker logs <bsf_container_id> | grep 'concurrent map read and map write'
  • Check the container exit code to confirm crash:
  • docker inspect <bsf_container_id> --format='{{.State.ExitCode}}'
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44318. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart