PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44324 free5gc CVE debrief

A nil-pointer dereference panic in free5GC's UDR (Unified Data Repository) component allows authenticated attackers to repeatedly crash the service via a crafted DELETE request. The vulnerability exists in the nudr-dr endpoint handler for `/subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions`. When a request specifies a non-existent UE ID, the handler correctly identifies the miss and prepares a 404 response, but fails to halt execution before performing an unsafe type assertion on the nil value. This triggers a Go panic that Gin's recovery middleware converts to HTTP 500. The endpoint remains panicable on every request, enabling straightforward denial-of-service against fresh UDR instances. The flaw was introduced through improper error handling flow after a map lookup miss.

Vendor
free5gc
Product
Unknown
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Telecommunications operators deploying free5GC-based 5G core networks; network security teams managing mobile core infrastructure; DevOps engineers responsible for free5GC UDR component availability

Technical summary

The UDR handler for DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions performs `value, ok := udrSelf.UESubsCollection.Load(ueId)` to retrieve UE subscription data. On cache miss (`ok == false`), it constructs a 404 USER_NOT_FOUND ProblemDetails response but continues execution rather than returning. The subsequent statement `value.(*udr_context.UESubsData)` executes an unchecked type assertion on the nil interface value, causing a runtime panic: `interface conversion: interface {} is nil, not *context.UESubsData`. Gin's recovery mechanism catches the panic and returns HTTP 500, but the handler remains vulnerable to identical repeated requests. The fix in version 4.2.2 adds proper early return after setting the 404 response, preventing the nil dereference.

Defensive priority

medium

Recommended defensive actions

  • Upgrade free5GC to version 4.2.2 or later which contains the fix
  • If immediate patching is not feasible, implement request validation to filter DELETE requests to the affected endpoint for non-existent UE IDs
  • Monitor UDR logs for repeated HTTP 500 responses to the nudr-dr DELETE endpoint as potential exploitation indicators
  • Review custom UDR modifications for similar unsafe type assertion patterns after map lookups
  • Ensure Gin recovery middleware remains enabled to prevent full process termination, though this does not prevent the denial-of-service condition

Evidence notes

The vulnerability description and fix commit confirm the panic occurs at `value.(*udr_context.UESubsData)` following a failed `UESubsCollection.Load(ueId)` lookup. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) reflects network accessibility with low attack complexity and authenticated access required. CWE-704 (Incorrect Type Conversion or Cast) and CWE-754 (Improper Check for Unusual or Exceptional Conditions) are identified as applicable weakness classifications.

Official resources

2026-05-27