PatchSiren cyber security CVE debrief
CVE-2026-42459 free5gc CVE debrief
free5GC UDM (Unified Data Management) component prior to version 4.2.2 contains an input validation vulnerability in the nudm-sdm (Subscriber Data Management) service. Six GET handlers fail to properly validate the supi path parameter, allowing unauthenticated attackers to inject control characters into the SUPI (Subscription Permanent Identifier) parameter. This injection causes UDM to forward malformed requests to the UDR (Unified Data Repository), resulting in 500 Internal Server Error responses that expose internal infrastructure details. The vulnerability stems from improper input validation (CWE-20) and information exposure through error messages (CWE-209). The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high confidentiality impact to the vulnerable system. The fix in version 4.2.2 addresses the insufficient input validation on the supi parameter across the affected GET handlers.
- Vendor
- free5gc
- Product
- Unknown
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-28
Who should care
Telecommunications operators deploying free5GC-based 5G core networks; security teams managing 5G infrastructure; network architects responsible for 5G service-based architecture security; organizations with exposure of UDM nudm-sdm service endpoints to untrusted networks
Technical summary
The free5GC UDM component's nudm-sdm service exposes six GET handlers that accept a supi path parameter without proper validation. An unauthenticated remote attacker can inject control characters into this SUPI parameter, causing the UDM to generate malformed requests to the backend UDR. The resulting 500 Internal Server Error responses leak internal infrastructure information. The vulnerability is fixed in free5GC version 4.2.2.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade free5GC to version 4.2.2 or later to remediate the input validation vulnerability in UDM nudm-sdm service handlers
- Implement input validation on SUPI parameters at network edge or API gateway to block control character injection before reaching UDM
- Configure UDM and UDR error handling to return generic error responses without internal infrastructure details
- Monitor UDM logs for anomalous supi path parameter patterns containing control characters or unexpected formatting
- Review and restrict network access to nudm-sdm service endpoints to authorized 5G core network functions only
Evidence notes
Vulnerability confirmed through GitHub Security Advisory GHSA-585v-hcgf-jhfr. NVD status 'Undergoing Analysis' as of 2026-05-27. CVSS 4.0 score 7.7 (HIGH) with exploitability marked as 'Proof-of-concept' (E:P). CWE-20 (Improper Input Validation) and CWE-209 (Generation of Error Message Containing Sensitive Information) identified as primary weakness types.
Official resources
-
CVE-2026-42459 CVE record
CVE.org
-
CVE-2026-42459 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
2026-05-27