Home

Description

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks _, ok = UESubsData.EeSubscriptionCollection[subsId] and sets a 404 problem-details on the miss path, but then continues to UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos -- dereferencing the same missing entry instead of returning. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2.

PUBLISHED Reserved 2026-05-05 | Published 2026-05-27 | Updated 2026-06-01 | Assigner GitHub_M




MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-476: NULL Pointer Dereference

Product status

< 4.2.2
affected

References

github.com/...ree5gc/security/advisories/GHSA-4rqf-grm6-vf75

github.com/free5gc/free5gc/issues/919

github.com/free5gc/udr/pull/60

github.com/...ommit/8a1d3c63be99d378806d771f086ff32f1867da99

cve.org (CVE-2026-44323)

nvd.nist.gov (CVE-2026-44323)

Download JSON