PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44328 free5gc CVE debrief

free5GC's Session Management Function (SMF) prior to version 4.2.2 contains an unauthenticated denial-of-service vulnerability in its UPI (User Plane Interface) management API. The DELETE /upi/v1/upNodesLinks/{upNodeRef} endpoint lacks OAuth2 authentication middleware and contains a nil-pointer dereference flaw. When processing a deletion request for an Access Node (AN)-type entry—such as a gNB—the handler executes UpNodeDelete(upNodeRef) to mutate the in-memory user-plane topology, then attempts to access upNode.UPF unconditionally. Since AN-typed nodes are constructed without a UPF object, this causes a panic crash. An off-path attacker can trigger this by sending a single unauthenticated DELETE request naming any AN entry, achieving both state mutation and service disruption. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H reflects network accessibility, low attack complexity, no privileges required, and high availability impact with low integrity impact due to the topology mutation. The vulnerability is fixed in free5GC 4.2.2 via commit b57bc48081c3d3a2f333d02eb78e4fd31a120deb.

Vendor
free5gc
Product
Unknown
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations operating free5GC-based 5G core networks, telecommunications infrastructure providers, mobile network operators (MNOs) using open-source 5G core implementations, and security teams responsible for 5G NFV/SDN infrastructure.

Technical summary

The SMF component in free5GC versions prior to 4.2.2 exposes the UPI management route group without OAuth2 authentication. The DELETE handler for /upi/v1/upNodesLinks/{upNodeRef} performs an unconditional dereference of upNode.UPF after an async release operation. For AN-typed nodes (e.g., gNB entries), which lack a UPF object, this causes a nil-pointer panic. The handler mutates the in-memory user-plane topology via UpNodeDelete(upNodeRef) before crashing, resulting in an unauthenticated, state-mutating denial-of-service condition exploitable by any network-accessible attacker who can name an existing AN entry.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade free5GC SMF to version 4.2.2 or later to obtain the authentication middleware and nil-pointer fix.
  • If immediate patching is not feasible, restrict network access to the UPI management API endpoints to trusted administrative hosts only.
  • Monitor SMF process logs for unexpected panic restarts or DELETE requests to /upi/v1/upNodesLinks/* paths from unauthorized sources.
  • Review user-plane topology configuration for unauthorized modifications that may have occurred prior to any observed crashes.
  • Validate that OAuth2 middleware is active on all UPI management routes after upgrade by attempting unauthenticated requests in a test environment.

Evidence notes

Vulnerability description and fix details sourced from NVD record and GitHub Security Advisory GHSA-p9mg-74mg-cwwr. Fix commit b57bc48081c3d3a2f333d02eb78e4fd31a120deb and pull request 199 in free5gc/smf repository confirm remediation in version 4.2.2. CWE-306 (Missing Authentication for Critical Function), CWE-476 (NULL Pointer Dereference), and CWE-862 (Missing Authorization) identified in advisory.

Official resources

2026-05-27