Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil *ProblemDetails. The handler's errPfdData != nil branch builds its own problemDetailsErr correctly, but immediately after it reads problemDetails.Cause (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into HTTP 500, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing. This vulnerability is fixed in 4.2.2.
Published: 2026-05-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs in the NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler of free5GC prior to version 4.2.2. When an upstream UDR call fails and the consumer wrapper returns an error together with a nil ProblemDetails object, the handler dereferences a nil value. This triggers a panic that, through Gin recovery, results in an HTTP 500 response instead of a controlled error. The flaw does not allow code execution but causes a denial of service by crashing the application. The weakness is a null pointer dereference (CWE-476) and use of a nil member of a null reference (CWE-754).

Affected Systems

The affected product is free5GC, an open‑source 5G core network implementation, specifically its NEF component. Versions prior to 4.2.2 are vulnerable. Upgrades to 4.2.2 or later contain the fix.

Risk and Exploitability

This flaw carries a CVSS base score of 7.5, indicating a high risk with potential impact on availability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by sending crafted HTTP PATCH requests to the vulnerable endpoint from any host that can reach the NEF service, triggering a crash whenever the underlying UDR service is unavailable. The CVSS score reflects that the vulnerability is exploitable without needing privileged local access, but it does not provide additional privileges or confidentiality compromise.

Generated by OpenCVE AI on May 27, 2026 at 19:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade free5GC to v4.2.2 or newer to apply the fixed handler code
  • Ensure that the UDR service is reliably reachable or configure a health‑check; if failures are unavoidable, temporarily restrict external access to the NEF endpoint to prevent service disruption
  • Monitor application logs for panic traces and HTTP 500 responses. If the issue recurs, consider applying local patchwork such as checking for nil ProblemDetails before dereferencing in downstream code

Generated by OpenCVE AI on May 27, 2026 at 19:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j59f-x285-69jx free5GC's NEF 3gpp-pfd-management PATCH applications/{appId} panics on UDR access failure due to nil ProblemDetails dereference
History

Thu, 28 May 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil *ProblemDetails. The handler's errPfdData != nil branch builds its own problemDetailsErr correctly, but immediately after it reads problemDetails.Cause (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into HTTP 500, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing. This vulnerability is fixed in 4.2.2.
Title free5GC: NEF 3gpp-pfd-management PATCH applications/{appId} panics on UDR access failure due to nil ProblemDetails dereference
Weaknesses CWE-476
CWE-754
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Free5gc Free5gc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T14:42:42.998Z

Reserved: 2026-05-05T19:00:06.022Z

Link: CVE-2026-44322

cve-icon Vulnrichment

Updated: 2026-05-28T14:42:36.443Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T17:16:37.480

Modified: 2026-06-17T10:50:30.050

Link: CVE-2026-44322

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:30:05Z

Weaknesses
  • CWE-476

    NULL Pointer Dereference

  • CWE-754

    Improper Check for Unusual or Exceptional Conditions