Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's PCF POST /npcf-smpolicycontrol/v1/sm-policies handler (HandleCreateSmPolicyRequest) panics with a nil-pointer dereference when a downstream OpenAPI consumer call (UDR lookup) returns 404 Not Found and the consumer wrapper returns err != nil together with a nil response struct. The handler logs the OpenAPI error and continues executing instead of returning, then dereferences the nil response struct on a subsequent line and panics. Gin recovery converts the panic into HTTP 500, so a single attacker-shaped POST returns 500 instead of a clean 4xx whenever the downstream lookup fails. The PCF process keeps running. The trigger is a single POST containing input that causes the downstream UDR lookup to fail (e.g. an unknown DNN). In 4.2.1 this endpoint is also reachable WITHOUT an Authorization header because the PCF Npcf_SMPolicyControl route group is mounted without inbound auth middleware. This vulnerability is fixed in 4.2.2.
Published: 2026-05-27
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A nil‑pointer dereference in the PCF HandleCreateSmPolicyRequest function causes a panic when a downstream UDR lookup returns 404. The panic is converted by Gin recovery into an HTTP 500 response, allowing an attacker to trigger a server error with a single crafted POST request. The panic occurs after a failed lookup, not during authentication, so the error is not mitigated by standard auth controls. The vulnerability is based on unchecked return values and improper null handling (CWE-476 and CWE-754).

Affected Systems

free5GC PCF component, versions prior to 4.2.2. The unprotected endpoint existed in 4.2.1 and earlier, which could be accessed without an Authorization header.

Risk and Exploitability

The CVSS score of 7.5 indicates moderate‑to‑high. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, unauthenticated POST requests to /npcf-smpolicycontrol/v1/sm-policies that trigger a downstream UDR lookup failure. Exploitation causes HTTP 500 responses and can degrade availability, but the PCF process remains operational. The lack of inbound authentication middleware in earlier versions increases the likelihood that malicious actors can reach the endpoint.

Generated by OpenCVE AI on May 27, 2026 at 19:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade free5GC to version 4.2.2 or later to apply the nil‑pointer dereference fix.
  • If upgrading immediately is not possible, place the /npcf‑smpolicycontrol/v1/sm‑policies endpoint behind a firewall or reverse proxy that blocks unauthenticated POST requests until the patch is applied.
  • Enable monitoring of PCF logs to detect unexpected 500 responses; consider automating a service restart when repeated panics occur to maintain availability.

Generated by OpenCVE AI on May 27, 2026 at 19:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wr8j-6chw-gm6p free5GC's PCF npcf-smpolicycontrol POST /sm-policies panics on downstream UDR/OpenAPI 404 via nil pointer dereference
History

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's PCF POST /npcf-smpolicycontrol/v1/sm-policies handler (HandleCreateSmPolicyRequest) panics with a nil-pointer dereference when a downstream OpenAPI consumer call (UDR lookup) returns 404 Not Found and the consumer wrapper returns err != nil together with a nil response struct. The handler logs the OpenAPI error and continues executing instead of returning, then dereferences the nil response struct on a subsequent line and panics. Gin recovery converts the panic into HTTP 500, so a single attacker-shaped POST returns 500 instead of a clean 4xx whenever the downstream lookup fails. The PCF process keeps running. The trigger is a single POST containing input that causes the downstream UDR lookup to fail (e.g. an unknown DNN). In 4.2.1 this endpoint is also reachable WITHOUT an Authorization header because the PCF Npcf_SMPolicyControl route group is mounted without inbound auth middleware. This vulnerability is fixed in 4.2.2.
Title free5GC: PCF npcf-smpolicycontrol POST /sm-policies panics on downstream UDR/OpenAPI 404 via nil pointer dereference
Weaknesses CWE-476
CWE-754
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T17:54:45.817Z

Reserved: 2026-05-05T19:00:06.022Z

Link: CVE-2026-44316

cve-icon Vulnrichment

Updated: 2026-05-27T17:54:41.727Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-27T17:16:36.570

Modified: 2026-05-27T19:51:27.110

Link: CVE-2026-44316

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:30:35Z

Weaknesses