PatchSiren cyber security CVE debrief
CVE-2026-44319 free5gc CVE debrief
A critical availability vulnerability in free5GC's Network Exposure Function (NEF) allows unauthenticated remote attackers to terminate the entire NEF process via a malformed PFD subscription. The flaw resides in PfdChangeNotifier.FlushNotifications(), where delivery failures to a subscriber's notifyUri trigger a fatal log call equivalent to os.Exit(1), causing immediate process termination with status 1. This drops all NEF Service-Based Interface (SBI) endpoints until manual restart. The attack requires only the ability to create a PFD subscription with an attacker-controlled notifyUri and subsequently trigger a PFD change notification. CVSS 3.1 scoring reflects network attack vector, low complexity, no privileges required, and high availability impact. The vulnerability was patched in free5GC version 4.2.2 via commit f110517b1189801950b50668a593398687049074.
- Vendor
- free5gc
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Telecommunications operators deploying free5GC-based 5G core networks; network security teams managing NEF exposure to untrusted NF consumers; DevOps engineers responsible for NEF service availability and incident response
Technical summary
The free5GC NEF component prior to 4.2.2 contains a fatal error handling flaw in its PFD (Packet Flow Description) change notification subsystem. When FlushNotifications() attempts to deliver notifications to a subscriber's notifyUri and encounters any delivery error, it invokes logger.PFDManageLog.Fatal(err). In Go's log package, Fatal calls are equivalent to os.Exit(1), causing immediate process termination without graceful shutdown. This architectural flaw means a single malformed or unreachable subscription can deterministically kill the entire NEF service, which exposes critical 5G core SBI endpoints. The vulnerability is classified under CWE-20 (Improper Input Validation), CWE-617 (Reachable Assertion), and CWE-755 (Improper Handling of Exceptional Conditions). The fix in 4.2.2 replaces the fatal exit with proper error handling that logs the delivery failure without terminating the process.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade free5GC to version 4.2.2 or later to obtain the patched NEF component
- If immediate patching is not feasible, restrict PFD subscription creation to authenticated administrative principals only
- Monitor NEF process logs for unexpected Fatal-level exits with PFDManageLog context
- Implement process supervision (systemd, container restart policy) to reduce downtime from process termination
- Review existing PFD subscriptions for suspicious notifyUri values pointing to unreachable or attacker-controlled endpoints
Evidence notes
Vulnerability description and fix version confirmed via NVD entry and GitHub Security Advisory GHSA-rxrq-fv76-26pr. Technical root cause (logger.PFDManageLog.Fatal(err) invocation) documented in advisory. Patch commit f110517b1189801950b50668a593398687049074 and pull request #25 in free5gc/nef repository provide remediation verification. CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H sourced from NVD. CWE classifications CWE-20, CWE-617, and CWE-755 attributed to [email protected].
Official resources
2026-05-27