CVE-2026-40249 | THREATINT

Description

free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the PUT handler for updating Policy Data notification subscriptions at /nudr-dr/v2/policy-data/subs-to-notify/{subsId} does not return after request body retrieval or deserialization errors. Although HTTP 500 or 400 error responses are sent, execution continues and the processor is invoked with a potentially uninitialized or partially initialized PolicyDataSubscription object. This fail-open behavior may allow unintended modification of existing Policy Data notification subscriptions with invalid or empty input, depending on downstream processor and storage behavior. A patched version was not available at the time of publication.

PUBLISHED Reserved 2026-04-10 | Published 2026-04-16 | Updated 2026-04-18 | Assigner GitHub_M

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-754: Improper Check for Unusual or Exceptional Conditions

CWE-636: Not Failing Securely ('Failing Open')

Product status

<= 4.2.1

affected

References

github.com/...ree5gc/security/advisories/GHSA-gx38-8h33-pmxr

cve.org (CVE-2026-40249)

nvd.nist.gov (CVE-2026-40249)

Download JSON