PatchSiren cyber security CVE debrief

CVE-2026-44318 free5gc CVE debrief

A race condition in free5GC's Binding Support Function (BSF) prior to version 4.2.2 allows authenticated attackers to trigger a fatal runtime panic and denial-of-service condition. The vulnerability exists in the PUT /nbsf-management/v1/subscriptions/{subId} handler where concurrent map access occurs: the handler reads from a global Subscriptions map under RLock(), but when a subscription does not exist, the ReplaceIndividualSubcription() function writes directly to the same map without acquiring the mutex. Under concurrent authenticated PUT requests, this produces a fatal 'concurrent map read and map write' error that bypasses Go's recover() mechanism, causing the BSF container to exit with code 2 and terminating the entire BSF SBI surface until manual restart. The CVSS 3.1 score of 6.5 (Medium) reflects network attack vector, low attack complexity, required low privileges, and high availability impact with no confidentiality or integrity effects. The issue was disclosed on May 27, 2026 and fixed in free5GC 4.2.2.

Vendor: free5gc
Product: Unknown
CVSS: MEDIUM 6.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-27
Original CVE updated: 2026-05-27
Advisory published: 2026-05-27
Advisory updated: 2026-05-27

Who should care

Organizations operating free5GC-based 5G core networks, telecommunications infrastructure providers, mobile network operators (MNOs) using open-source 5G core implementations, security teams responsible for NFV/containerized network function availability, and DevOps engineers managing BSF container deployments

Technical summary

The free5GC BSF (Binding Support Function) implements the Nbsf_Management service for 5G core network subscription management. Prior to 4.2.2, the PUT handler for /nbsf-management/v1/subscriptions/{subId} contains a critical synchronization defect. The handler invokes BSFContext.GetSubscription(subId), which acquires an RLock() for read access to the global Subscriptions map. When the requested subscription does not exist, the code path proceeds to ReplaceIndividualSubcription(), which performs a direct assignment to bsfContext.BsfSelf.Subscriptions[subId] without mutex protection. This creates a window where one goroutine may execute a map write while another holds only a read lock, violating Go's map concurrency rules. The Go runtime detects this condition and terminates the process with a non-recoverable fatal error. The BSF container exits with status 2, and the entire Service-Based Interface (SBI) surface becomes unavailable until the container is restarted. The vulnerability requires authenticated access but is otherwise trivial to trigger under concurrent load conditions.

Defensive priority

medium

Recommended defensive actions

Upgrade free5GC to version 4.2.2 or later to obtain the synchronization fix for the BSF subscription handler
If immediate patching is not feasible, implement rate limiting on the BSF management interface to reduce the likelihood of concurrent PUT requests triggering the race condition
Monitor BSF container logs for fatal error: concurrent map read and map write messages as indicators of exploitation attempts
Ensure BSF containers are configured with appropriate restart policies to minimize service downtime if the panic condition occurs
Review custom modifications to the BSF subscription handling code for similar unsynchronized map access patterns

Evidence notes

The vulnerability description and fix details are derived from the official CVE record and GitHub security advisory. The race condition pattern is consistent with CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-820 (Missing Synchronization). The fix commit (277908565fd628d974a13ef562b81a8b7b519ffa) and pull request (#7) address the synchronization deficiency.

Official resources

2026-05-27