PatchSiren cyber security CVE debrief
CVE-2026-44317 free5gc CVE debrief
A nil pointer dereference vulnerability in free5GC's Policy Control Function (PCF) allows authenticated attackers to trigger a denial of service via a crafted API request. The flaw exists in the POST /npcf-policyauthorization/v1/app-sessions handler prior to version 4.2.2. When processing application session creation requests with the traffic-routing feature enabled (suppFeat ==
- Vendor
- free5gc
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Telecommunications operators deploying free5GC-based 5G core networks, network security teams managing 5G infrastructure, and organizations using free5GC for private 5G deployments should prioritize patching.
Technical summary
The vulnerability resides in free5GC's PCF component within the application session authorization handler. When an authenticated request enables traffic-routing feature negotiation (suppFeat ==
Defensive priority
medium
Recommended defensive actions
- Upgrade free5GC to version 4.2.2 or later
- Apply commit 508d70b8527a6c8c923179dad450ea01e16b6aeb if patching from source
- Monitor PCF logs for HTTP 500 errors indicating potential exploitation attempts
- Validate application session requests contain complete AfRoutReq structures when traffic-routing features are negotiated
Evidence notes
The vulnerability was disclosed through GitHub Security Advisory GHSA-wwqh-7jm5-gj7w and NVD. The fix commit 508d70b8527a6c8c923179dad450ea01e16b6aeb addresses the nil pointer dereference by adding proper validation before dereferencing routeReq fields.
Official resources
2026-05-27