Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF terminates the entire process when a stored PFD-subscription notifyUri cannot be reached. In PfdChangeNotifier.FlushNotifications(), the notifier calls NnefPFDmanagementNotify(...) and on any delivery error invokes logger.PFDManageLog.Fatal(err), which is os.Exit(1)-equivalent in Go. An attacker who can create a PFD subscription with an attacker-chosen notifyUri and then trigger a PFD change can deterministically kill NEF on the asynchronous delivery attempt -- the process exits with status 1, dropping NEF's entire SBI surface until restart. This vulnerability is fixed in 4.2.2.
Published: 2026-05-27
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored PFD‑subscription with an attacker‑controlled notifyUri causes the NEF service to terminate the entire process when the delivery attempt fails. The vulnerable code calls logger.PFDManageLog.Fatal(err) on any error, which is equivalent to os.Exit(1). The result of such an error is a deterministic crash of the NEF component, dropping the entire Service‑Based Interface surface until a restart occurs. This behavior is a denial‑of‑service flaw attributable to improper input validation (CWE‑20), insecure error handling (CWE‑617) and fatal exit on error (CWE‑755).

Affected Systems

The flaw exists in versions of free5GC released before 4.2.2, affecting all deployments that use the NEF component of the free5GC open‑source 5G core network. Any instance running a pre‑4.2.2 release is vulnerable.

Risk and Exploitability

The CVSS score of 7.5 signals a high‑severity vulnerability. Although the EPSS score is not available, the lack of listing in the CISA KEV catalog suggests no widespread public exploitation at this time. Exploitation requires the ability to create a PFD subscription with an arbitrary notifyUri, which typically requires authentication and sufficient privileges to register subscriptions. Once an authorized user submits a malicious notifyUri and triggers a PFD change, the NEF process will crash in a repeatable manner. Based on the description, the attack vector is therefore remote and depends on the exposed NEF API surface and the credentials of the attacker.

Generated by OpenCVE AI on May 27, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade free5GC to version 4.2.2 or later, which contains the patch for the fatal error handling bug.
  • Restrict the NEF API so that only authenticated and authorized users can create PFD subscriptions, and validate the notifyUri field against a whitelist of allowed domains or IP ranges to prevent arbitrary external URIs.
  • Configure monitoring and alerting for PFD notification errors to detect failure cases promptly, and plan for automatic or manual NEF restarts to maintain service availability.

Generated by OpenCVE AI on May 27, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rxrq-fv76-26pr free5GC's NEF crashes via logger.Fatal on PFD notification delivery failure (attacker-controlled notifyUri)
History

Thu, 28 May 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF terminates the entire process when a stored PFD-subscription notifyUri cannot be reached. In PfdChangeNotifier.FlushNotifications(), the notifier calls NnefPFDmanagementNotify(...) and on any delivery error invokes logger.PFDManageLog.Fatal(err), which is os.Exit(1)-equivalent in Go. An attacker who can create a PFD subscription with an attacker-chosen notifyUri and then trigger a PFD change can deterministically kill NEF on the asynchronous delivery attempt -- the process exits with status 1, dropping NEF's entire SBI surface until restart. This vulnerability is fixed in 4.2.2.
Title free5GC: NEF crashes via logger.Fatal on PFD notification delivery failure (attacker-controlled notifyUri)
Weaknesses CWE-20
CWE-617
CWE-755
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Free5gc Free5gc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T15:49:20.934Z

Reserved: 2026-05-05T19:00:06.022Z

Link: CVE-2026-44319

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-27T17:16:37.033

Modified: 2026-05-27T19:51:27.110

Link: CVE-2026-44319

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T02:15:03Z

Weaknesses