CVE-2026-44324
BaseFortify
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | free5gc | 4.2.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
| CWE-704 | The product does not correctly convert an object, resource, or structure from one type to a different type. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in free5GC's UDR component causes a denial-of-service condition by allowing an authenticated user to trigger repeated panics, leading to degraded availability of the UDR service.
Since the issue affects availability but does not impact confidentiality or integrity of data, it primarily relates to availability requirements in standards and regulations.
However, the provided information does not explicitly discuss or analyze the impact of this vulnerability on compliance with specific standards or regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in free5GC, an open-source 5G core network implementation, specifically in versions prior to 4.2.2. The issue occurs in the UDR nudr-dr DELETE endpoint handler when a request is made with a ueId that does not exist in the UESubsCollection. Although the code attempts to handle the missing ueId by setting a 404 USER_NOT_FOUND response, it continues execution and performs a type assertion on a nil interface, causing a panic. This panic results in an HTTP 500 error, and the endpoint can be repeatedly triggered to panic.
How can this vulnerability impact me? :
The vulnerability can cause the affected free5GC UDR service to panic and return HTTP 500 errors repeatedly when triggered. This leads to a denial of service (DoS) condition, impacting the availability of the 5G core network functions relying on this service. Since the vulnerability does not affect confidentiality or integrity, the main impact is on service availability.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in free5GC version 4.2.2. The immediate step to mitigate this vulnerability is to upgrade your free5GC deployment to version 4.2.2 or later.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending an authenticated DELETE request to the vulnerable free5GC UDR endpoint with a non-existent ueId. Specifically, the endpoint is /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions. If the ueId does not exist in the UESubsCollection, the server will panic and respond with HTTP 500 errors repeatedly.
To test this on your system, you can use a command-line HTTP client like curl with a valid OAuth2 token for the nudr-dr service. Replace the placeholders with appropriate values and use a ueId that is known not to exist.
- curl -X DELETE "https://<free5gc-udr-host>/nudr-dr/v2/subscription-data/nonexistent-ueId/<servingPlmnId>/ee-subscriptions/<subsId>/amf-subscriptions" -H "Authorization: Bearer <valid_oauth2_token>" -v
Repeatedly sending such requests and observing HTTP 500 responses or panic logs in the UDR service indicates the presence of the vulnerability.