PatchSiren cyber security CVE debrief
CVE-2026-44323 free5gc CVE debrief
A nil-pointer dereference vulnerability exists in free5GC's UDR (Unified Data Repository) component prior to version 4.2.2. The affected endpoint is the nudr-dr DELETE handler for `/subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions`. The handler performs a map lookup for `UESubsData.EeSubscriptionCollection[subsId]` and correctly detects a miss, setting a 404 problem-details response. However, execution continues to the subsequent line that dereferences `UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos`, causing a nil-pointer dereference panic. The Gin web framework's recovery mechanism converts this panic into an HTTP 500 response, but the endpoint remains repeatedly triggerable. Exploitation requires an authenticated attacker to first create an EE subscription, then issue a DELETE request referencing a non-existent subscription ID. The vulnerability is classified as CWE-476 (NULL Pointer Dereference) with a CVSS 3.1 score of 4.3 (Medium severity). The issue was fixed in free5GC version 4.2.2 via a commit that adds proper return statement after the 404 response path.
- Vendor
- free5gc
- Product
- Unknown
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations operating free5GC-based 5G core networks, telecommunications infrastructure providers, mobile network operators (MNOs) using open-source 5G core implementations, security teams responsible for 5G network function virtualization (NFV) security, and DevOps teams managing free5GC deployments in production environments
Technical summary
The free5GC UDR component's DELETE handler for AMF subscriptions within EE subscriptions contains a logic error where a missing map entry check does not prevent subsequent dereference of that same entry. After detecting a missing `subsId` in `EeSubscriptionCollection` and preparing a 404 response, the code proceeds to access `.AmfSubscriptionInfos` on the nil map entry, triggering a panic. While Gin's recovery middleware prevents server crash, the endpoint can be repeatedly panicked by authenticated attackers, constituting a denial-of-service condition. The vulnerability requires low-privileged authenticated access and has low availability impact per CVSS scoring.
Defensive priority
medium
Recommended defensive actions
- Upgrade free5GC to version 4.2.2 or later to obtain the fix for this nil-pointer dereference vulnerability
- If immediate patching is not feasible, implement monitoring for repeated HTTP 500 responses from the UDR nudr-dr DELETE endpoint at `/subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions`
- Review access controls to ensure only authorized administrative users can access the UDR subscription management endpoints
- Consider implementing rate limiting on the affected endpoint to reduce the impact of repeated triggering attempts
- Validate that any custom modifications to the UDR component include proper nil checks before map entry dereferences
Evidence notes
The vulnerability description is sourced from the official CVE record and NVD entry published 2026-05-27. The technical details regarding the nil-pointer dereference path, Gin recovery behavior, and authentication requirements are derived from the GitHub Security Advisory GHSA-4rqf-grm6-vf75 and associated issue #919. The fix commit 8a1d3c63be99d378806d771f086ff32f1867da99 and pull request #60 confirm the remediation in version 4.2.2. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L supports the 4.3 score with network attack vector, low attack complexity, low privileges required, and low availability impact.
Official resources
2026-05-27