CVE-2026-44321 | THREATINT

Description

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. The POST /upi/v1/upNodesLinks create-or-update handler accepts attacker-controlled JSON and passes it directly into UpNodesFromConfiguration(), which calls logger.InitLog.Fatalf(...) on several validation failures. One confirmed path is the UE-IP-pool overlap check: a single unauthenticated POST that adds a new UPF whose pool overlaps an existing UPF terminates the entire SMF process (docker ps shows Exited (1)), not just the goroutine. This vulnerability is fixed in 4.2.2.

PUBLISHED Reserved 2026-05-05 | Published 2026-05-27 | Updated 2026-05-27 | Assigner GitHub_M

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-306: Missing Authentication for Critical Function

CWE-617: Reachable Assertion

CWE-862: Missing Authorization

Product status

< 4.2.2

affected

References

github.com/...ree5gc/security/advisories/GHSA-44qj-cghf-9p97 exploit

github.com/...ree5gc/security/advisories/GHSA-44qj-cghf-9p97

github.com/free5gc/free5gc/issues/906

github.com/free5gc/smf/pull/203

github.com/...ommit/e0974e07ddab44a67d36a563cca383b2449e33e5

cve.org (CVE-2026-44321)

nvd.nist.gov (CVE-2026-44321)

Download JSON