CVE-2026-44323
Analyzed Analyzed - Analysis Complete
free5GC UDR Nil-Pointer Dereference in EE-Subscription Handler

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks _, ok = UESubsData.EeSubscriptionCollection[subsId] and sets a 404 problem-details on the miss path, but then continues to UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos -- dereferencing the same missing entry instead of returning. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44323
EUVD
EUVD-2026-32575
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
free5gc free5gc to 4.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in free5GC's UDR component causes a denial-of-service (DoS) condition by allowing repeated panics and crashes through a nil-pointer dereference in an authenticated DELETE endpoint. However, it does not affect confidentiality or persistent integrity of data.

Since the primary impact is reduced availability without compromising data confidentiality or integrity, the vulnerability mainly poses a risk to service availability rather than data protection requirements under standards like GDPR or HIPAA.

Therefore, while the vulnerability could lead to service disruptions, it does not directly cause violations related to data privacy or protection mandates in these regulations.

Executive Summary

The vulnerability exists in free5GC's UDR component in the DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions endpoint. When a request is made with a missing or invalid subscription ID (subsId), the handler checks for the subscription's existence and sets a 404 response if not found, but it fails to return immediately. Instead, it continues and dereferences the missing subscription entry, causing a nil-pointer dereference and a panic. This panic is converted into an HTTP 500 error by the Gin recovery mechanism, but the endpoint remains vulnerable to repeated panics.

The issue requires a valid authenticated request with a proper OAuth2 token and a preparatory EE-subscription create. The root cause is improper error handling where the code does not return after detecting a missing subscription ID before accessing its properties.

Impact Analysis

This vulnerability can lead to denial-of-service (DoS) conditions on the free5GC UDR service. An attacker with a valid OAuth2 token can repeatedly trigger the panic by sending malicious DELETE requests with invalid subscription IDs, causing the service to crash or return HTTP 500 errors.

The impact is primarily on availability, as the repeated panics consume CPU and logging resources, potentially degrading service performance or causing outages. There is no impact on confidentiality or persistent integrity.

Detection Guidance

This vulnerability can be detected by monitoring the UDR service for repeated HTTP 500 errors on the DELETE endpoint /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions after authenticated requests.

Specifically, if you observe repeated panics or crashes in the UDR logs triggered by DELETE requests with invalid or missing subscription IDs (subsId), it indicates the presence of this vulnerability.

Since the vulnerability requires an authenticated request with a valid OAuth2 token (nudr-dr scope), you can attempt to reproduce the issue in a controlled environment by sending authenticated DELETE requests with non-existent subsId values after creating an EE-subscription.

Suggested commands to detect the vulnerability include using curl or similar HTTP clients to send authenticated DELETE requests and monitoring logs for HTTP 500 responses and panic stack traces.

  • Example curl command to test the vulnerable endpoint (replace placeholders accordingly):
  • curl -X DELETE "https://<free5gc-udr-host>/subscription-data/<ueId>/<servingPlmnId>/ee-subscriptions/<invalid-subsId>/amf-subscriptions" -H "Authorization: Bearer <valid_oauth2_token>" -v
  • Monitor the UDR logs for panic or crash messages following such requests.
Mitigation Strategies

The immediate mitigation step is to upgrade the free5GC UDR component to version 4.2.2 or later, where this vulnerability has been fixed.

The fix includes proper error handling in the DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler to prevent nil-pointer dereferences and panics.

Until the upgrade can be applied, you should restrict access to the vulnerable endpoint by limiting authenticated users who can send DELETE requests with the nudr-dr scope.

Additionally, monitor the UDR service for repeated panics or crashes and consider implementing rate limiting or alerting on suspicious DELETE requests to reduce the risk of denial-of-service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44323. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart