Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler panics on a single authenticated request against a fresh UDR instance when the supplied ueId does not exist in UESubsCollection. The processor checks value, ok := udrSelf.UESubsCollection.Load(ueId) and sets a 404 USER_NOT_FOUND problem-details on the miss path, but execution continues and immediately runs value.(*udr_context.UESubsData) -- a Go type assertion on a nil interface, which panics with interface conversion: interface {} is nil, not *context.UESubsData. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2.
Published: 2026-05-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Go panic caused by an unprotected type assertion to *udr_context.UESubsData when the ueId does not exist in the UESubsCollection. Because of the missing nil check, the application produces an interface conversion panic that Gin's recovery converts into an HTTP 500 response. This flaw is a type‑mismatch error (CWE‑704) combined with improper error handling (CWE‑754) and allows an attacker to repeatedly trigger a server crash, resulting in service disruption.

Affected Systems

Affected are installations of the free5GC core network implementation before version 4.2.2. The problematic DELETE endpoint is /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions. The issue is fixed starting with free5GC 4.2.2; any release earlier than that remains vulnerable.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity. EPSS is not available, and the vulnerability is not listed in CISA KEV. An attacker must first authenticate to the UDR service to send a DELETE request with a non‑existent ueId. Successful exploitation results in a server panic and repeated HTTP 500 responses until the service is restarted, effectively denying service to legitimate users. The risk is therefore a remote authenticated denial of service.

Generated by OpenCVE AI on May 27, 2026 at 19:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade free5GC to version 4.2.2 or later.
  • If an update is not immediately possible, apply the hotfix commit 8a1d3c63 or merge the pull request that removes the nil assertion.
  • Restrict access to the DELETE /subscription-data/... endpoint to trusted administrators or use network policy to limit traffic.

Generated by OpenCVE AI on May 27, 2026 at 19:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jqfc-gwj5-3w63 free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing UE state via nil interface type assertion (single authenticated request)
History

Fri, 29 May 2026 09:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*

Thu, 28 May 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler panics on a single authenticated request against a fresh UDR instance when the supplied ueId does not exist in UESubsCollection. The processor checks value, ok := udrSelf.UESubsCollection.Load(ueId) and sets a 404 USER_NOT_FOUND problem-details on the miss path, but execution continues and immediately runs value.(*udr_context.UESubsData) -- a Go type assertion on a nil interface, which panics with interface conversion: interface {} is nil, not *context.UESubsData. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2.
Title free5GC: UDR nudr-dr DELETE amf-subscriptions panics on missing UE state via nil interface type assertion (single authenticated request)
Weaknesses CWE-704
CWE-754
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Free5gc Free5gc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T14:38:09.624Z

Reserved: 2026-05-05T19:00:06.023Z

Link: CVE-2026-44324

cve-icon Vulnrichment

Updated: 2026-05-28T14:37:51.215Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T17:16:37.767

Modified: 2026-06-17T10:50:30.267

Link: CVE-2026-44324

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:30:05Z

Weaknesses
  • CWE-704

    Incorrect Type Conversion or Cast

  • CWE-754

    Improper Check for Unusual or Exceptional Conditions