Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. The POST /upi/v1/upNodesLinks create-or-update handler accepts attacker-controlled JSON and passes it directly into UpNodesFromConfiguration(), which calls logger.InitLog.Fatalf(...) on several validation failures. One confirmed path is the UE-IP-pool overlap check: a single unauthenticated POST that adds a new UPF whose pool overlaps an existing UPF terminates the entire SMF process (docker ps shows Exited (1)), not just the goroutine. This vulnerability is fixed in 4.2.2.
Published: 2026-05-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SMF component in free5GC, before version 4.2.2, exposes its UPI management routes without OAuth2 middleware. A single unauthenticated POST request to /upi/v1/upNodesLinks containing attacker‑controlled JSON can trigger a logger.Fatalf call during validation. When the request creates a UPF whose IP pool overlaps an existing one, this fatal call terminates the entire SMF process. The result is a loss of all SMF services, effectively causing a denial of service rather than code execution. The vulnerability has a CVSS score of 7.5 and allows unauthenticated, network‑reachable attackers to disrupt the core network.

Affected Systems

This weakness affects the SMF module in the free5GC open‑source 5G core network implementation. All installations running any free5GC version earlier than 4.2.2 are vulnerable; the issue is fixed in free5GC version 4.2.2.

Risk and Exploitability

Because the UPI endpoint is publicly reachable and requires no authentication, an attacker can exploit this flaw from anywhere on the network that can reach the SMF. The exploit simply sends a crafted POST request that results in a fatal error, immediately shutting down the SMF process. This severes service for any applications or networks relying on the SMF. The KEV listing does not include this CVE, and its moderate severity indicates a significant risk for operational environments.

Generated by OpenCVE AI on May 27, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the free5GC installation to version 4.2.2 or newer, where the validation failure is handled without terminating the process.
  • Ensure that the /upi/v1/upNodesLinks endpoint is protected by OAuth2 or other authentication mechanisms if an upgrade is not immediately possible.
  • Restrict network access to the SMF’s UPI endpoint using firewall rules or host‑based access control to limit exposure to trusted administrators.

Generated by OpenCVE AI on May 27, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-44qj-cghf-9p97 free5GC's SMF UPI POST /upi/v1/upNodesLinks exits the SMF process on overlapping UE pools (unauthenticated, reachable Fatalf)
History

Thu, 28 May 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*

Thu, 28 May 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. The POST /upi/v1/upNodesLinks create-or-update handler accepts attacker-controlled JSON and passes it directly into UpNodesFromConfiguration(), which calls logger.InitLog.Fatalf(...) on several validation failures. One confirmed path is the UE-IP-pool overlap check: a single unauthenticated POST that adds a new UPF whose pool overlaps an existing UPF terminates the entire SMF process (docker ps shows Exited (1)), not just the goroutine. This vulnerability is fixed in 4.2.2.
Title free5GC: SMF UPI POST /upi/v1/upNodesLinks exits the SMF process on overlapping UE pools (unauthenticated, reachable Fatalf)
Weaknesses CWE-306
CWE-617
CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Free5gc Free5gc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T17:53:42.800Z

Reserved: 2026-05-05T19:00:06.022Z

Link: CVE-2026-44321

cve-icon Vulnrichment

Updated: 2026-05-27T17:53:38.999Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T17:16:37.330

Modified: 2026-05-28T18:01:21.610

Link: CVE-2026-44321

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T02:15:03Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function

  • CWE-617

    Reachable Assertion

  • CWE-862

    Missing Authorization