PatchSiren cyber security CVE debrief
CVE-2026-44321 free5gc CVE debrief
free5GC's Session Management Function (SMF) component prior to version 4.2.2 exposes an unauthenticated management endpoint that can trigger a fatal process termination. The UPI (User Plane Infrastructure) management route group at POST /upi/v1/upNodesLinks lacks OAuth2 middleware, allowing unauthenticated attackers to submit JSON payloads. When the handler processes attacker-controlled input through UpNodesFromConfiguration(), validation failures—specifically UE-IP-pool overlap checks between new and existing UPFs—invoke logger.InitLog.Fatalf(...), which terminates the entire SMF process rather than isolating the failure to a goroutine. This results in complete denial of service for the SMF container (observed as Exited (1) in docker ps). The vulnerability combines missing authentication controls (CWE-306, CWE-862) with reachable assertion failures (CWE-617). The fix in version 4.2.2 adds proper authentication middleware to the UPI management routes.
- Vendor
- free5gc
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Telecommunications operators deploying free5GC-based 5G core networks; network security teams managing containerized mobile core infrastructure; DevOps engineers responsible for SMF availability and container orchestration; security auditors evaluating 5G core attack surface
Technical summary
The SMF component in free5GC versions prior to 4.2.2 exposes the UPI (User Plane Infrastructure) management API without authentication. The POST /upi/v1/upNodesLinks endpoint accepts JSON payloads that are passed directly to UpNodesFromConfiguration(). When validation fails—such as when a submitted UPF configuration contains a UE-IP pool overlapping an existing pool—the code path calls logger.InitLog.Fatalf(...), causing the entire SMF process to exit with status 1. This is a process-level termination, not a goroutine panic, resulting in complete SMF service unavailability until container restart. The vulnerability requires no authentication (PR:N) and is network-accessible (AV:N) with low attack complexity (AC:L).
Defensive priority
HIGH
Recommended defensive actions
- Upgrade free5GC to version 4.2.2 or later to obtain the OAuth2 middleware fix for UPI management routes
- If immediate patching is not feasible, restrict network access to the SMF UPI management endpoint (POST /upi/v1/upNodesLinks) to authorized administrative hosts only
- Monitor SMF container logs and orchestration events for unexpected Exited (1) status indicating process termination
- Review SMF configuration for unauthorized UPF entries that may indicate exploitation attempts
- Validate that existing API gateway or reverse proxy configurations enforce authentication before forwarding requests to SMF UPI endpoints
Evidence notes
CVE published 2026-05-27T17:16:37.330Z; modified 2026-05-27T19:51:27.110Z. Advisory references GitHub Security Advisory GHSA-44qj-cghf-9p97, issue #906, commit e0974e07ddab44a67d36a563cca383b2449e33e5, and PR #203. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H yields score 7.5 (HIGH). CWE-306 (Missing Authentication), CWE-617 (Reachable Assertion), CWE-862 (Missing Authorization) identified.
Official resources
2026-05-27