Description
Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to procedure panic caused by Nil Pointer Dereference in the /sdm-subscriptions endpoint. A remote attacker can cause the UDM service to panic and crash by sending a crafted POST request to the /sdm-subscriptions endpoint with a malformed URL path containing path traversal sequences (../) and a large JSON payload. The DataChangeNotificationProcedure function in notifier.go attempts to access a nil pointer without proper validation, causing a complete service crash with "runtime error: invalid memory address or nil pointer dereference". Exploitation would result in UDM functionality disruption until recovery by restart. This issue has been fixed in version 1.4.2.
Published: 2026-03-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Denial of Service
Action: Patch immediately
AI Analysis

Impact

A nil pointer dereference in the DataChangeNotificationProcedure function of the free5GC UDM causes a runtime panic when processing a POST request to the /sdm-subscriptions endpoint; the flaw enables an attacker to force a complete service crash by sending a crafted request that includes path traversal sequences and a large JSON payload, resulting in a denial of service for 5G core network operations and requiring a service restart for recovery; the weakness is identified as CWE‑476 and CWE‑478.

Affected Systems

All releases of free5GC UDM prior to version 1.4.2 are vulnerable; users running those versions are at risk until the patched release is deployed; the affected product is the UDM component in the free5GC open‑source 5G core network stack.

Risk and Exploitability

The CVSS base score of 8.7 indicates high severity, while the EPSS score of less than 1% suggests a low current probability of exploitation; the vulnerability is not listed in the CISA KEV catalog; based on the description, it is inferred that no authentication is required to send the crafted POST request to the /sdm-subscriptions endpoint, implying a low barrier to entry for remote attackers; successful exploitation would trigger a crash that persists until the service is manually restarted.

Generated by OpenCVE AI on March 23, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade free5GC to version 1.4.2 or later to eliminate the crash condition.
  • If a patch cannot be applied immediately, restrict external access to the /sdm-subscriptions endpoint using network controls such as firewalls or ACLs.
  • Monitor inbound traffic for malformed POST requests targeting the /sdm-subscriptions path and log any suspicious activity.
  • Verify that the UDM service runs correctly after applying the patch and restart the service if required to clear any lingering state.

Generated by OpenCVE AI on March 23, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7g27-v5wj-jr75 free5GC UDM DataChangeNotification Procedure Panic Due to Nil Pointer Dereference
History

Mon, 23 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc udm
Weaknesses CWE-476
CPEs cpe:2.3:a:free5gc:udm:*:*:*:*:*:go:*:*
Vendors & Products Free5gc udm
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Fri, 20 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
Description Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to procedure panic caused by Nil Pointer Dereference in the /sdm-subscriptions endpoint. A remote attacker can cause the UDM service to panic and crash by sending a crafted POST request to the /sdm-subscriptions endpoint with a malformed URL path containing path traversal sequences (../) and a large JSON payload. The DataChangeNotificationProcedure function in notifier.go attempts to access a nil pointer without proper validation, causing a complete service crash with "runtime error: invalid memory address or nil pointer dereference". Exploitation would result in UDM functionality disruption until recovery by restart. This issue has been fixed in version 1.4.2.
Title free5GC UDM DataChangeNotification Procedure Panic Due to Nil Pointer Dereference
Weaknesses CWE-478
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Free5gc Free5gc Udm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T15:42:53.709Z

Reserved: 2026-03-17T19:27:06.343Z

Link: CVE-2026-33064

cve-icon Vulnrichment

Updated: 2026-03-20T15:42:44.180Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T08:16:12.257

Modified: 2026-03-23T18:43:25.237

Link: CVE-2026-33064

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:30:06Z

Weaknesses