PatchSiren cyber security CVE debrief
CVE-2026-44316 free5gc CVE debrief
A nil-pointer dereference in free5GC's Policy Control Function (PCF) allows unauthenticated remote attackers to trigger a panic via a crafted POST request to the SM Policy Control endpoint. The vulnerability exists in versions prior to 4.2.2, where the HandleCreateSmPolicyRequest handler fails to properly handle 404 responses from downstream UDR lookups. When the OpenAPI consumer wrapper returns an error with a nil response struct, the handler logs the error but continues execution, subsequently dereferencing the nil pointer and causing a panic. Gin's recovery mechanism converts this to an HTTP 500 response. Notably, in version 4.2.1, this endpoint is reachable without authentication due to missing middleware on the Npcf_SMPolicyControl route group. The CVSS 3.1 score of 7.5 (HIGH) reflects network accessibility, low attack complexity, no required privileges or user interaction, and high availability impact. The issue was fixed in free5GC 4.2.2 via proper error handling that returns early when downstream lookups fail.
- Vendor
- free5gc
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Telecommunications operators deploying free5GC-based 5G core networks, network security teams managing 5G infrastructure, and organizations using free5GC for private 5G deployments should prioritize this patch due to the unauthenticated attack vector and potential for service disruption to policy control functions.
Technical summary
The vulnerability resides in free5GC's PCF component within the HandleCreateSmPolicyRequest function. When processing POST requests to /npcf-smpolicycontrol/v1/sm-policies, the handler performs a UDR lookup via OpenAPI consumer. If this lookup returns HTTP 404 Not Found, the consumer wrapper returns a non-nil error alongside a nil response struct. The handler logs the OpenAPI error using logger.Errorf but fails to return, continuing execution to dereference the nil response pointer on a subsequent line. This triggers a panic that Gin's recovery middleware converts to HTTP 500. In free5GC 4.2.1, the Npcf_SMPolicyControl route group lacks inbound authentication middleware, allowing unauthenticated exploitation. The fix in 4.2.2 adds proper error handling to return early when the UDR lookup fails, preventing the nil-pointer dereference.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade free5GC to version 4.2.2 or later to obtain the fix for improper nil-pointer handling in the PCF SM Policy Control handler
- If immediate patching is not feasible, implement network-level access controls to restrict access to the PCF Npcf_SMPolicyControl endpoints to authorized 5G core network components only
- Monitor PCF service logs for HTTP 500 responses to POST /npcf-smpolicycontrol/v1/sm-policies requests, which may indicate exploitation attempts
- Review custom modifications to free5GC PCF routing configuration to ensure authentication middleware is applied to all Npcf_SMPolicyControl routes
- Validate that downstream UDR (Unified Data Repository) services are operational and reachable to minimize conditions that trigger the vulnerable error path
Evidence notes
Vulnerability confirmed through GitHub Security Advisory GHSA-wr8j-6chw-gm6p and associated commit df535f5524314620715e842baf9723efbeb481a7. CWE-476 (NULL Pointer Dereference) and CWE-754 (Improper Check for Unusual or Exceptional Conditions) identified. Fix implemented in PCF pull request #62.
Official resources
2026-05-27