These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-44330 is a critical authentication bypass vulnerability in free5GC, an open-source 5G core network implementation. The Network Exposure Function (NEF) component mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization, allowing unauthenticated network attackers to read Packet Flow Description (PFD) application data and manipulate PFD change-notification subscrip [truncated]
free5GC's Session Management Function (SMF) component prior to version 4.2.2 exposes UPI (User Plane Infrastructure) management endpoints without requiring OAuth2 or bearer-token authentication. An unauthenticated network attacker with reachability to the SMF Service-Based Interface (SBI) can perform read, write, and delete operations on UP-node and link configurations. The vulnerability stems from the UP [truncated]
free5GC's Session Management Function (SMF) prior to version 4.2.2 contains an unauthenticated denial-of-service vulnerability in its UPI (User Plane Interface) management API. The DELETE /upi/v1/upNodesLinks/{upNodeRef} endpoint lacks OAuth2 authentication middleware and contains a nil-pointer dereference flaw. When processing a deletion request for an Access Node (AN)-type entry—such as a gNB—the handle [truncated]
## Summary free5GC NEF (Network Exposure Function) prior to version 4.2.2 exposes the `nnef-oam` route group without OAuth2/bearer-token authorization. A network attacker with reachability to the NEF Service-Based Interface (SBI) can access OAM (Operations, Administration, and Maintenance) endpoints without providing any Authorization header, receiving HTTP 200 OK responses. While the current OAM handler [truncated]
A critical authentication bypass vulnerability in free5GC's Network Exposure Function (NEF) allows unauthenticated network attackers to manipulate 5G traffic steering subscriptions. The 3gpp-traffic-influence API endpoint lacks OAuth2/bearer-token authorization enforcement, permitting arbitrary create, read, patch, and delete operations on traffic-influence subscriptions—including AnyUeInd=true subscripti [truncated]
A type-confusion vulnerability in free5GC's Network Repository Function (NRF) allows unauthenticated remote attackers to trigger panics via the OAuth2 token endpoint. The root cause is unsafe reflection in the SBI access token handler that assumes all non-string, non-NfType fields in the token request struct are of type models.PlmnId. When an attacker submits form-encoded data with field names whose actua [truncated]
A nil-pointer dereference panic in free5GC's UDR (Unified Data Repository) component allows authenticated attackers to repeatedly crash the service via a crafted DELETE request. The vulnerability exists in the nudr-dr endpoint handler for `/subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions`. When a request specifies a non-existent UE ID, the handler correctly identifies [truncated]
A nil-pointer dereference vulnerability exists in free5GC's UDR (Unified Data Repository) component prior to version 4.2.2. The affected endpoint is the nudr-dr DELETE handler for `/subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions`. The handler performs a map lookup for `UESubsData.EeSubscriptionCollection[subsId]` and correctly detects a miss, setting a 404 problem-det [truncated]
A nil-pointer dereference vulnerability in free5GC's Network Exposure Function (NEF) prior to version 4.2.2 allows unauthenticated remote attackers to trigger a panic and HTTP 500 error response. The flaw exists in the PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} endpoint handler. When an upstream UDR (Unified Data Repository) call fails and the consumer wrapper returns [truncated]
free5GC's Session Management Function (SMF) component prior to version 4.2.2 exposes an unauthenticated management endpoint that can trigger a fatal process termination. The UPI (User Plane Infrastructure) management route group at POST /upi/v1/upNodesLinks lacks OAuth2 middleware, allowing unauthenticated attackers to submit JSON payloads. When the handler processes attacker-controlled input through UpNo [truncated]
free5GC NEF (Network Exposure Function) prior to version 4.2.2 fails to enforce OAuth2/bearer-token authorization on the nnef-callback route group. An attacker can submit forged callback requests with arbitrary bearer tokens to reach SMF-callback handlers and manipulate subscription state if a valid NotifId is known or guessed. The vulnerability stems from missing inbound authentication middleware on the [truncated]
A critical availability vulnerability in free5GC's Network Exposure Function (NEF) allows unauthenticated remote attackers to terminate the entire NEF process via a malformed PFD subscription. The flaw resides in PfdChangeNotifier.FlushNotifications(), where delivery failures to a subscriber's notifyUri trigger a fatal log call equivalent to os.Exit(1), causing immediate process termination with status 1. [truncated]
A race condition in free5GC's Binding Support Function (BSF) prior to version 4.2.2 allows authenticated attackers to trigger a fatal runtime panic and denial-of-service condition. The vulnerability exists in the PUT /nbsf-management/v1/subscriptions/{subId} handler where concurrent map access occurs: the handler reads from a global Subscriptions map under RLock(), but when a subscription does not exist, [truncated]
A nil pointer dereference vulnerability in free5GC's Policy Control Function (PCF) allows authenticated attackers to trigger a denial of service via a crafted API request. The flaw exists in the POST /npcf-policyauthorization/v1/app-sessions handler prior to version 4.2.2. When processing application session creation requests with the traffic-routing feature enabled (suppFeat ==
A nil-pointer dereference in free5GC's Policy Control Function (PCF) allows unauthenticated remote attackers to trigger a panic via a crafted POST request to the SM Policy Control endpoint. The vulnerability exists in versions prior to 4.2.2, where the HandleCreateSmPolicyRequest handler fails to properly handle 404 responses from downstream UDR lookups. When the OpenAPI consumer wrapper returns an error [truncated]
free5GC is an open-source implementation of the 5G core network. Prior to version 4.2.2, the Network Exposure Function (NEF) component mounts the 3gpp-pfd-management API without enforcing inbound OAuth2/bearer-token authorization. A network attacker with reachability to the NEF on the Service-Based Interface (SBI) can create, read, and delete PFD-management transaction state using a forged or arbitrary be [truncated]
free5GC prior to version 4.2.2 contains a missing authentication vulnerability in the PCF (Policy Control Function) Npcf_SMPolicyControl service. The smPolicyGroup route group is registered without the RouterAuthorizationCheck middleware, allowing unauthenticated network requests to reach SM policy business logic. Affected endpoints include /npcf-smpolicycontrol/v1/sm-policies and related sub-resources. T [truncated]
A vulnerability in free5GC's Access and Mobility Management Function (AMF) prior to version 4.2.2 allows security context mismatches between the network and User Equipment (UE). The AMF fails to enforce concurrent security procedure rules from 3GPP TS 33.501 §6.9.5.1, specifically not checking for ongoing N2 handover procedures before initiating NAS Security Mode Command, and vice versa. This can result i [truncated]
A medium-severity vulnerability in free5GC's Access and Mobility Management Function (AMF) allows malicious gNodeBs to overwrite UE security capabilities, causing persistent handover denial-of-service. The AMF fails to validate UE Security Capabilities in NGAP PathSwitchRequest messages against locally stored values as required by 3GPP TS 33.501 §6.7.3.1. Arbitrary values propagate through PathSwitchReque [truncated]
