CVE-2026-44324
Analyzed Analyzed - Analysis Complete
UDR Panic on Invalid UE ID in free5GC

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler panics on a single authenticated request against a fresh UDR instance when the supplied ueId does not exist in UESubsCollection. The processor checks value, ok := udrSelf.UESubsCollection.Load(ueId) and sets a 404 USER_NOT_FOUND problem-details on the miss path, but execution continues and immediately runs value.(*udr_context.UESubsData) -- a Go type assertion on a nil interface, which panics with interface conversion: interface {} is nil, not *context.UESubsData. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44324
EUVD
EUVD-2026-32574
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
free5gc free5gc to 4.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
CWE-704 The product does not correctly convert an object, resource, or structure from one type to a different type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in free5GC, an open-source 5G core network implementation, specifically in versions prior to 4.2.2. The issue occurs in the UDR nudr-dr DELETE endpoint handler when a request is made with a ueId that does not exist in the UESubsCollection. Although the code attempts to handle the missing ueId by setting a 404 USER_NOT_FOUND response, it continues execution and performs a type assertion on a nil interface, causing a panic. This panic results in an HTTP 500 error, and the endpoint can be repeatedly triggered to panic.

Impact Analysis

The vulnerability can cause the affected free5GC UDR service to panic and return HTTP 500 errors repeatedly when triggered. This leads to a denial of service (DoS) condition, impacting the availability of the 5G core network functions relying on this service. Since the vulnerability does not affect confidentiality or integrity, the main impact is on service availability.

Mitigation Strategies

The vulnerability is fixed in free5GC version 4.2.2. The immediate step to mitigate this vulnerability is to upgrade your free5GC deployment to version 4.2.2 or later.

Compliance Impact

The vulnerability in free5GC's UDR component causes a denial-of-service condition by allowing an authenticated user to trigger repeated panics, leading to degraded availability of the UDR service.

Since the issue affects availability but does not impact confidentiality or integrity of data, it primarily relates to availability requirements in standards and regulations.

However, the provided information does not explicitly discuss or analyze the impact of this vulnerability on compliance with specific standards or regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by sending an authenticated DELETE request to the vulnerable free5GC UDR endpoint with a non-existent ueId. Specifically, the endpoint is /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions. If the ueId does not exist in the UESubsCollection, the server will panic and respond with HTTP 500 errors repeatedly.

To test this on your system, you can use a command-line HTTP client like curl with a valid OAuth2 token for the nudr-dr service. Replace the placeholders with appropriate values and use a ueId that is known not to exist.

  • curl -X DELETE "https://<free5gc-udr-host>/nudr-dr/v2/subscription-data/nonexistent-ueId/<servingPlmnId>/ee-subscriptions/<subsId>/amf-subscriptions" -H "Authorization: Bearer <valid_oauth2_token>" -v

Repeatedly sending such requests and observing HTTP 500 responses or panic logs in the UDR service indicates the presence of the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44324. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart