Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's PCF POST /npcf-policyauthorization/v1/app-sessions handler panics on a single authenticated request whose ascReqData.suppFeat == "1" (enabling traffic-routing feature negotiation) and whose medComponents entries supply an afAppId but NO AfRoutReq. The create path then calls provisioningOfTrafficRoutingInfo(smPolicy, appID, routeReq, ...) with routeReq == nil and dereferences routeReq.RouteToLocs (and other fields) without a nil check, causing runtime error: invalid memory address or nil pointer dereference. Gin recovery converts the panic into HTTP 500. This vulnerability is fixed in 4.2.2.
Published: 2026-05-27
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

free5GC’s Policy Control Function contains a nil pointer dereference in its POST /npcf-policyauthorization/v1/app-sessions endpoint. When an authenticated request carries a suppFeat value of "1" (enabling traffic‑routing feature negotiation) and includes afAppId entries without corresponding AfRoutReq, the code calls provisioningOfTrafficRoutingInfo with a nil routeReq parameter. The function then attempts to read routeReq.RouteToLocs without a nil check, causing a runtime panic. The Gin framework’s recovery logic turns this panic into an HTTP 500 response, resulting in a denial of service to the affected PCF instance for the duration of the error and potentially disrupting policy provisioning for the 5G core network.

Affected Systems

The vulnerability exists in free5GC free5gc prior to version 4.2.2. Systems running earlier releases of the free5GC PCF component are affected, regardless of deployment environment. The issue is tied to the PCF service component responsible for policy authorization.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity denial‑of‑service attack. No EPSS data are available, and the vulnerability is not currently listed in CISA’s KEV catalog, suggesting limited exploitation in the wild at this time. Attackers must possess valid credentials to access the PCF endpoint, implying an authenticated threat. Once authenticated, an attacker can trigger the panic by sending a single POST request that satisfies the described conditions, causing the PCF to return HTTP 500 and potentially impacting policy service availability for all subscriber sessions. Mitigation requires patching or a temporary workaround until an official fix is deployed.

Generated by OpenCVE AI on May 27, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade free5gc to version 4.2.2 or later to apply the fixed handler for the POST /npcf-policyauthorization/v1/app-sessions endpoint.
  • If upgrading immediately is not possible, reconfigure the PCF service to disable traffic‑routing feature negotiation by setting suppFeat to 0 or removing traffic‑routing logic from the request flow to avoid triggering the nil pointer dereference.
  • After applying the fix or reconfiguration, validate the endpoint by sending a test request and confirm that it no longer returns HTTP 500; monitor logs for any remaining panic errors.

Generated by OpenCVE AI on May 27, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wwqh-7jm5-gj7w free5GC's PCF npcf-policyauthorization POST /app-sessions panics on suppFeat=1 with missing AfRoutReq via nil pointer dereference
History

Thu, 28 May 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's PCF POST /npcf-policyauthorization/v1/app-sessions handler panics on a single authenticated request whose ascReqData.suppFeat == "1" (enabling traffic-routing feature negotiation) and whose medComponents entries supply an afAppId but NO AfRoutReq. The create path then calls provisioningOfTrafficRoutingInfo(smPolicy, appID, routeReq, ...) with routeReq == nil and dereferences routeReq.RouteToLocs (and other fields) without a nil check, causing runtime error: invalid memory address or nil pointer dereference. Gin recovery converts the panic into HTTP 500. This vulnerability is fixed in 4.2.2.
Title free5GC: PCF npcf-policyauthorization POST /app-sessions panics on suppFeat=1 with missing AfRoutReq via nil pointer dereference
Weaknesses CWE-476
CWE-754
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Free5gc Free5gc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T15:50:18.242Z

Reserved: 2026-05-05T19:00:06.022Z

Link: CVE-2026-44317

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-27T17:16:36.723

Modified: 2026-05-27T19:51:27.110

Link: CVE-2026-44317

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:30:05Z

Weaknesses