PatchSiren cyber security CVE debrief
CVE-2026-44325 free5gc CVE debrief
A type-confusion vulnerability in free5GC's Network Repository Function (NRF) allows unauthenticated remote attackers to trigger panics via the OAuth2 token endpoint. The root cause is unsafe reflection in the SBI access token handler that assumes all non-string, non-NfType fields in the token request struct are of type models.PlmnId. When an attacker submits form-encoded data with field names whose actual types differ (slices, other structs, primitives), the reflect.Value.Set() operation panics. While Gin's recovery middleware converts these panics to HTTP 500 responses, the endpoint remains repeatedly triggerable, resulting in a denial-of-service condition. The vulnerability affects free5GC versions prior to 4.2.2 and requires no authentication or user interaction.
- Vendor
- free5gc
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Telecommunications operators deploying free5GC-based 5G core networks; security teams responsible for 5G infrastructure; network architects designing NFV deployments with open-source 5G cores; DevOps teams managing free5GC upgrades and patch cycles
Technical summary
The vulnerability exists in the NRF's OAuth2 token request handler which uses reflection to populate a models.NrfAccessTokenAccessTokenReq struct. The handler explicitly handles only string and NrfNfManagementNfType field types, defaulting all other fields to models.PlmnId parsing. This design assumes that any remaining field in the struct is a single PlmnId, which is incorrect for fields that are slices, different struct types, or primitive types. When reflect.Value.Set() attempts to assign a *models.PlmnId to an incompatible destination field type, a panic occurs. The Gin web framework's recovery mechanism catches these panics and returns HTTP 500, but the endpoint remains functional and can be repeatedly triggered by unauthenticated attackers sending crafted form-encoded POST requests to /oauth2/token. The attack surface is the NRF SBI interface, typically exposed for NF-to-NRF communication in 5G deployments.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade free5GC to version 4.2.2 or later which contains the fix in commit f7bc77daa7425506af7569f2e61c2a210f5a0423
- If immediate patching is not feasible, restrict network access to the NRF SBI endpoint POST /oauth2/token to trusted administrative hosts only
- Monitor for repeated HTTP 500 responses from the NRF OAuth2 token endpoint as potential indicators of exploitation attempts
- Review application logs for panic stack traces originating from NFs/nrf/internal/sbi/api_accesstoken.go
- Validate that any custom modifications to the NRF access token handler implement proper type checking before reflection-based field assignment
Evidence notes
The vulnerability description identifies the affected file as NFs/nrf/internal/sbi/api_accesstoken.go. The fix commit f7bc77daa7425506af7569f2e61c2a210f5a0423 and pull request 83 in the free5gc/nrf repository provide the remediation. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H confirms network accessibility with low attack complexity, no privileges required, and high availability impact. CWE-20 (Improper Input Validation), CWE-755 (Improper Handling of Exceptional Conditions), and CWE-843 (Access of Resource Using Incompatible Type) are cited as applicable weaknesses.
Official resources
2026-05-27T17:16:37.910Z