Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's BSF PUT /nbsf-management/v1/subscriptions/{subId} handler has an unsynchronized write on the global Subscriptions map. The handler first reads the map under RLock() via BSFContext.GetSubscription(subId), but if the subscription does not exist, ReplaceIndividualSubcription() writes back to the same map directly without taking the mutex (bsfContext.BsfSelf.Subscriptions[subId] = subscription). Under concurrent authenticated PUT load, one goroutine can read while another writes the map, which causes the Go runtime to abort the process with fatal error: concurrent map read and map write (Go runtime panics that come from concurrent map access bypass recover() and terminate the process). The BSF container exits with code 2 -- the entire BSF SBI surface goes down until restart. This vulnerability is fixed in 4.2.2.
Published: 2026-05-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in free5GC’s BSF component, where a concurrent PUT request to /nbsf-management/v1/subscriptions/{subId} performs an unsynchronized write to the global Subscriptions map. The handler first reads the map under a read lock but, when the subscription is missing, writes to the same map without acquiring the mutex. Concurrent authenticated PUT traffic can trigger a race between the read lock and the unsynchronized write, causing the Go runtime to panic with a fatal error: concurrent map read and map write. This panic terminates the BSF process, resulting in the entire BSF service becoming unavailable until a restart.

Affected Systems

Products affected are free5GC versions of the free5gc suite released before 4.2.2. The issue is tied to the free5gc free5gc component, specifically the BSF module. No other vendor products are listed.

Risk and Exploitability

The CVSS score of 6.5 categorizes the risk as medium. The EPSS score is not available, and the vulnerability has not been listed in the CISA KEV catalog. The likely attack vector is a targeted workload that floods the BSF endpoint with concurrent authenticated PUT requests, which is feasible for an attacker with legitimate access to the BSF API. Successful exploitation results in a service disruption rather than direct data compromise.

Generated by OpenCVE AI on May 27, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade free5gc to version 4.2.2 or later, where the concurrent map write is protected by a mutex.
  • If an upgrade is not immediately possible, restrict the number of concurrent PUT requests to the /nbsf-management/v1/subscriptions/{subId} endpoint, or temporarily disable the endpoint until the patch is applied.
  • Implement monitoring on the BSF container to detect sudden exits and automatically restart the container when it crashes to minimize downtime.

Generated by OpenCVE AI on May 27, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-27ph-8q4f-h7m7 free5GC's BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes the BSF process via concurrent map read/write on Subscriptions
History

Thu, 28 May 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*

Thu, 28 May 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's BSF PUT /nbsf-management/v1/subscriptions/{subId} handler has an unsynchronized write on the global Subscriptions map. The handler first reads the map under RLock() via BSFContext.GetSubscription(subId), but if the subscription does not exist, ReplaceIndividualSubcription() writes back to the same map directly without taking the mutex (bsfContext.BsfSelf.Subscriptions[subId] = subscription). Under concurrent authenticated PUT load, one goroutine can read while another writes the map, which causes the Go runtime to abort the process with fatal error: concurrent map read and map write (Go runtime panics that come from concurrent map access bypass recover() and terminate the process). The BSF container exits with code 2 -- the entire BSF SBI surface goes down until restart. This vulnerability is fixed in 4.2.2.
Title free5GC: BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes the BSF process via concurrent map read/write on Subscriptions
Weaknesses CWE-362
CWE-820
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Free5gc Free5gc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T17:35:49.998Z

Reserved: 2026-05-05T19:00:06.022Z

Link: CVE-2026-44318

cve-icon Vulnrichment

Updated: 2026-05-27T17:33:10.922Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T17:16:36.887

Modified: 2026-05-28T18:24:58.980

Link: CVE-2026-44318

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T02:15:03Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE-820

    Missing Synchronization