CVE-2026-44321
Analyzed Analyzed - Analysis Complete
SMF Process Termination via UE-IP-Pool Overlap in free5GC

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. The POST /upi/v1/upNodesLinks create-or-update handler accepts attacker-controlled JSON and passes it directly into UpNodesFromConfiguration(), which calls logger.InitLog.Fatalf(...) on several validation failures. One confirmed path is the UE-IP-pool overlap check: a single unauthenticated POST that adds a new UPF whose pool overlaps an existing UPF terminates the entire SMF process (docker ps shows Exited (1)), not just the goroutine. This vulnerability is fixed in 4.2.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44321
EUVD
EUVD-2026-32577
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
free5gc free5gc to 4.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in free5GC, an open-source 5G core network implementation, prior to version 4.2.2. The SMF component mounts the UPI management route group without inbound OAuth2 middleware, allowing unauthenticated access. Specifically, the POST /upi/v1/upNodesLinks create-or-update handler accepts attacker-controlled JSON input and passes it directly into a function that performs validation. If the validation fails, such as when a new UPF's IP pool overlaps with an existing UPF's pool, the SMF process terminates entirely instead of just the affected goroutine.

Impact Analysis

The vulnerability can cause a denial of service (DoS) condition by terminating the entire SMF process when an attacker sends a specially crafted unauthenticated POST request. This results in the SMF component stopping unexpectedly, which can disrupt the 5G core network services relying on free5GC.

Detection Guidance

This vulnerability causes the SMF process of free5GC to terminate unexpectedly when a specific unauthenticated POST request is made to the /upi/v1/upNodesLinks endpoint with attacker-controlled JSON that triggers a UE-IP-pool overlap.

To detect this vulnerability on your system, monitor the status of the free5GC SMF process for unexpected exits or crashes, especially after POST requests to /upi/v1/upNodesLinks.

You can use the following commands to check the status of the SMF process running in Docker:

  • docker ps -a | grep smf # Check if the SMF container has exited unexpectedly
  • docker logs <smf_container_id> # Review logs for fatal errors related to UpNodesFromConfiguration or UE-IP-pool overlap

Additionally, network monitoring tools can be used to detect suspicious POST requests to the /upi/v1/upNodesLinks endpoint.

Mitigation Strategies

The immediate mitigation step is to upgrade free5GC to version 4.2.2 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, restrict access to the SMF's UPI management route group, especially the /upi/v1/upNodesLinks endpoint, to trusted and authenticated users only.

Monitor the SMF process for unexpected terminations and restart it as necessary to maintain service availability.

Compliance Impact

The vulnerability in free5GC's SMF component causes a denial of service by crashing the entire SMF process when an unauthenticated attacker sends a crafted POST request with overlapping UE IP pools. This impacts the availability of the 5G core network services.

While the vulnerability affects availability, there is no indication from the provided information that it leads to loss of confidentiality or integrity of data.

Since common standards and regulations like GDPR and HIPAA emphasize the protection of personal data confidentiality, integrity, and availability, this vulnerability primarily impacts the availability aspect.

Disruption of network services due to denial of service could lead to non-compliance with availability requirements in these regulations, potentially affecting service continuity and reliability.

However, there is no direct evidence from the provided context that this vulnerability results in unauthorized data access or data breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44321. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart