PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44322 free5gc CVE debrief

A nil-pointer dereference vulnerability in free5GC's Network Exposure Function (NEF) prior to version 4.2.2 allows unauthenticated remote attackers to trigger a panic and HTTP 500 error response. The flaw exists in the PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} endpoint handler. When an upstream UDR (Unified Data Repository) call fails and the consumer wrapper returns a non-nil error together with a nil *ProblemDetails, the handler correctly builds a problemDetailsErr in the errPfdData != nil branch, but then immediately attempts to read problemDetails.Cause (the alternate nil value), causing a panic. Gin's recovery middleware converts this panic into an HTTP 500 response, bypassing the intended controlled error handling. This represents a denial-of-service condition against the NEF service availability. The vulnerability is classified under CWE-476 (NULL Pointer Dereference) and CWE-754 (Improper Check for Unusual or Exceptional Conditions). The issue was fixed in free5GC version 4.2.2 via a commit that addresses the nil pointer handling logic.

Vendor
free5gc
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Telecommunications operators deploying free5GC-based 5G core networks; network security teams managing NEF exposure to external application functions; DevOps engineers responsible for free5GC upgrade cycles; and security researchers tracking vulnerabilities in open-source 5G infrastructure components.

Technical summary

The free5GC NEF (Network Exposure Function) implements the 3GPP PFD (Packet Flow Description) management service. The PATCH endpoint handler contains a logic error where two error variables—errPfdData and problemDetails—are handled in the same conditional branch. When errPfdData is non-nil (indicating a local processing error), the handler correctly constructs problemDetailsErr. However, the subsequent code immediately references problemDetails.Cause, where problemDetails is nil in this branch. This causes a runtime panic that Gin's recovery middleware catches, returning HTTP 500 instead of a properly structured error response. The vulnerability is triggered specifically when UDR calls fail and the consumer wrapper returns (err != nil, problemDetails == nil). The fix in version 4.2.2 ensures proper nil checks before field access on the problemDetails structure.

Defensive priority

high

Recommended defensive actions

  • Upgrade free5GC to version 4.2.2 or later to remediate the nil-pointer dereference vulnerability in the NEF PFD management endpoint.
  • If immediate patching is not feasible, monitor NEF service logs for unexpected HTTP 500 responses to PATCH requests against /3gpp-pfd-management/v1/*/transactions/*/applications/* endpoints, which may indicate exploit or
  • triggering attempts.
  • Implement network segmentation to restrict access to NEF management interfaces to authorized administrative hosts only, reducing exposure of the vulnerable endpoint.
  • Review application-level error handling in custom NEF implementations to ensure nil pointer checks precede field access on error response objects.
  • Monitor upstream UDR health and connectivity; UDR failures are the trigger condition for this vulnerability, so maintaining UDR availability reduces the likelihood of hitting the vulnerable code path.

Evidence notes

Vulnerability description and technical details sourced from NVD record and GitHub Security Advisory GHSA-j59f-x285-69jx. Fix commit 72a47f3fab4dffbd227f8d92c5f69dca93b610cb and pull request #22 in the free5gc/nef repository confirm remediation in version 4.2.2. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicates network-accessible, low-complexity, unauthenticated denial of service.

Official resources

2026-05-27