Description
Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2
are vulnerable to null byte injection in URL path parameters. A remote attacker can inject null bytes (URL-encoded as %00) into the supi path parameter of the UDM's Nudm_SubscriberDataManagement API. This causes URL parsing failure in Go's net/url package with the error "invalid control character in URL", resulting in a 500 Internal Server Error. This null byte injection vulnerability can be exploited for denial of service attacks. When the supi parameter contains null characters, the UDM attempts to construct a URL for UDR that includes these control characters. Go's URL parser rejects them, causing the request to fail with 500 instead of properly validating input and returning 400 Bad Request. This issue has been fixed in version 1.4.2.
Published: 2026-03-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A null byte injection vulnerability in the free5GC User Data Management (UDM) service allows an attacker to insert URL‑encoded null bytes (%00) into the supi path parameter of the Nudm_SubscriberDataManagement API. This causes Go's net/url package to reject the request with an "invalid control character in URL" error, resulting in a 500 Internal Server Error instead of a proper 400 Bad Request. The effect is a denial of service, as legitimate requests to UDM can be repeatedly denied, impacting service availability.

Affected Systems

The vulnerable component is free5GC's UDM module. All releases prior to version 1.4.2 contain the flaw. The vulnerability lies in the path parameter handling used when UDM contacts the User Data Repository (UDR) via the Nudm_SubscriberDataManagement API. Users running any of the affected free5GC versions on Linux-based 5G core networks are at risk.

Risk and Exploitability

The CVSS score of 8.7 reflects a high severity for denial of service. The EPSS score of less than 1% indicates a low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. A remote attacker can exploit this by sending a crafted HTTP request containing a null byte in the supi parameter to the UDM's API endpoint. The CVE description does not state whether authentication is required, so the access requirement remains uncertain; however, the mechanics of the attack do not rely on privileged input.

Generated by OpenCVE AI on March 23, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official upgrade to free5GC version 1.4.2 or later, which fixes the null byte handling in UDM.

Generated by OpenCVE AI on March 23, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p9hg-pq3q-v9gv free5GC UDM vulnerable to null byte injection in URL path parameters causing 500 Internal Server Error
History

Mon, 23 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc udm
CPEs cpe:2.3:a:free5gc:udm:*:*:*:*:*:go:*:*
Vendors & Products Free5gc udm
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Fri, 20 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
Description Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to null byte injection in URL path parameters. A remote attacker can inject null bytes (URL-encoded as %00) into the supi path parameter of the UDM's Nudm_SubscriberDataManagement API. This causes URL parsing failure in Go's net/url package with the error "invalid control character in URL", resulting in a 500 Internal Server Error. This null byte injection vulnerability can be exploited for denial of service attacks. When the supi parameter contains null characters, the UDM attempts to construct a URL for UDR that includes these control characters. Go's URL parser rejects them, causing the request to fail with 500 instead of properly validating input and returning 400 Bad Request. This issue has been fixed in version 1.4.2.
Title free5GC UDM vulnerable to null byte injection in URL path parameters causing 500 Internal Server Error
Weaknesses CWE-158
CWE-248
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Free5gc Free5gc Udm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T19:36:09.548Z

Reserved: 2026-03-17T22:16:36.721Z

Link: CVE-2026-33191

cve-icon Vulnrichment

Updated: 2026-03-20T19:35:59.504Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T08:16:12.597

Modified: 2026-03-23T18:24:15.897

Link: CVE-2026-33191

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:30:07Z

Weaknesses