CVE-2026-44322
Analyzed Analyzed - Analysis Complete
Path Traversal in free5GC NEF Component

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil *ProblemDetails. The handler's errPfdData != nil branch builds its own problemDetailsErr correctly, but immediately after it reads problemDetails.Cause (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into HTTP 500, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing. This vulnerability is fixed in 4.2.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44322
EUVD
EUVD-2026-32576
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
free5gc free5gc to 4.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in free5GC, an open-source 5G core network implementation, specifically in versions prior to 4.2.2. The issue occurs in the NEF PATCH handler for the endpoint /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId}. When an upstream UDR call fails and the consumer wrapper returns an error along with a nil ProblemDetails object, the handler attempts to read a field from this nil object, causing a nil-pointer dereference panic. This panic results in the server returning an HTTP 500 error instead of a controlled error response.

Impact Analysis

The vulnerability can cause the affected free5GC service to panic and return HTTP 500 errors when certain upstream calls fail. This can lead to denial of service conditions for clients attempting to use the affected PATCH endpoint, potentially disrupting 5G core network operations that rely on this functionality.

Mitigation Strategies

The vulnerability is fixed in free5GC version 4.2.2. To mitigate this vulnerability, you should upgrade your free5GC deployment to version 4.2.2 or later.

Compliance Impact

The vulnerability causes a denial-of-service (DoS) condition by crashing the free5GC NEF component when the UDR access fails, resulting in HTTP 500 errors. It does not impact confidentiality or persistent integrity of data.

Since the vulnerability only affects availability during UDR failures and does not expose or compromise sensitive data, it primarily relates to availability requirements in standards like GDPR and HIPAA rather than confidentiality or data protection mandates.

Organizations relying on free5GC might face challenges in maintaining continuous service availability, which could affect compliance with availability and service continuity requirements under such regulations.

Detection Guidance

This vulnerability can be detected by sending a PATCH request to the vulnerable endpoint and observing if the service panics and returns an HTTP 500 Internal Server Error when the upstream UDR call fails.

Specifically, the vulnerable endpoint is: PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId}.

A practical detection method involves simulating a failure in the UDR or NRF service (e.g., stopping the NRF service) and then issuing a PATCH request to the endpoint. If the NEF component crashes or returns a 500 error due to a panic, the vulnerability is present.

Example command using curl to test the endpoint (replace placeholders with actual values):

  • curl -X PATCH "http://<nef-host>:<port>/3gpp-pfd-management/v1/<afId>/transactions/<transId>/applications/<appId>" -d '<payload>' -H "Content-Type: application/json"

Ensure that the UDR or NRF service is unavailable or failing to trigger the error condition that leads to the panic.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44322. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart