Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks _, ok = UESubsData.EeSubscriptionCollection[subsId] and sets a 404 problem-details on the miss path, but then continues to UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos -- dereferencing the same missing entry instead of returning. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2.
Published: 2026-05-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a nil‑pointer dereference in the free5GC UDR nudr‑dr DELETE /subscription‑data/{ueId}/{servingPlmnId}/ee‑subscriptions/{subsId}/amf‑subscriptions handler. A malicious actor can authenticate, create an EE‑subscription, then issue a DELETE request with a missing subsId. The code attempts to read two fields from the missing entry, triggering a panic that Gin recovers as an HTTP 500 error. Repeated requests can keep the endpoint in a panicable state, effectively denying service. The weakness is identified as CWE‑476.

Affected Systems

The affected product is free5GC, the open‑source 5G core network implementation. All releases prior to version 4.2.2 are affected, as the vulnerability is fixed in 4.2.2. This includes the free5gc:free5gc UDR component.

Risk and Exploitability

The CVSS base score of 4.3 classifies the risk as moderate, but the lack of an EPSS score and the absence from the CISA KEV catalog suggest no known widespread exploitation yet. Nevertheless, the exploit requires a single authenticated request after an EE‑subscription create, making it a relatively straightforward local or remote authenticated attack. The denial of service could disrupt network services for any UE whose subscriptions are impacted.

Generated by OpenCVE AI on May 27, 2026 at 19:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the 4.2.2 release of free5GC or later to resolve the nil pointer error.
  • Temporarily block or throttle access to the DELETE /subscription‑data endpoint until the patch is deployed to prevent repeated crashes.
  • Monitor UDR logs for HTTP 500 responses on this endpoint and audit for unauthorized DELETE attempts.

Generated by OpenCVE AI on May 27, 2026 at 19:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4rqf-grm6-vf75 free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing subsId when UE state exists (nil pointer dereference)
History

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*

Thu, 28 May 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks _, ok = UESubsData.EeSubscriptionCollection[subsId] and sets a 404 problem-details on the miss path, but then continues to UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos -- dereferencing the same missing entry instead of returning. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2.
Title free5GC: UDR nudr-dr DELETE amf-subscriptions panics on missing subsId when UE state exists (nil pointer dereference)
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Free5gc Free5gc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T17:08:45.474Z

Reserved: 2026-05-05T19:00:06.022Z

Link: CVE-2026-44323

cve-icon Vulnrichment

Updated: 2026-06-01T17:08:40.959Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T17:16:37.627

Modified: 2026-05-28T17:02:32.040

Link: CVE-2026-44323

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:30:05Z

Weaknesses