Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. On top of that, the DELETE /upi/v1/upNodesLinks/{upNodeRef} handler unconditionally dereferences upNode.UPF after the type-guarded async release, even though AN-typed nodes are constructed without a UPF object. As a result, a single unauthenticated DELETE /upi/v1/upNodesLinks/gNB1 request crashes the handler with a nil-pointer panic AND mutates the in-memory user-plane topology before panicking (the UpNodeDelete(upNodeRef) line runs first). This is an unauthenticated, state-mutating panic-DoS sink that an off-path network attacker can trigger by name against any AN entry. This vulnerability is fixed in 4.2.2.
Published: 2026-05-27
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

free5GC’s Service Management Function mounts management routes without inbound OAuth2 authentication for versions before 4.2.2. The DELETE /upi/v1/upNodesLinks/{upNodeRef} handler performs an unconditional dereference of upNode.UPF after an asynchronous release guard. For AN‑typed nodes that were created without a UPF, the dereference results in a nil‑pointer panic. The operation also changes the in‑memory user‑plane topology before panicking, so state mutation occurs prior to the crash. As a result, a single unauthenticated DELETE request that targets an AN entry causes the SMF to crash and the topology to be altered, which is an unauthenticated, state‑mutating denial‑of‑service vulnerability.

Affected Systems

The affected product is the free5GC open‑source core network stack, specifically the SMF component. All releases prior to version 4.2.2 are impacted, along with any deployments that do not enable OAuth2 protection on the UPI routes. Affected systems include any service that exposes the DELETE /upi/v1/upNodesLinks endpoint and accepts unfiltered requests.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.2, indicating high severity, and the EPSS score is not available, but the lack of authentication makes it straightforward to exploit from any network point that can reach the SMF. Although the vulnerability is not listed in the CISA KEV catalog, its denial‑of‑service and state‑mutation characteristics render it a high‑priority issue. An off‑path attacker can issue a single HTTP DELETE request without credentials to induce the crash and modify the topology, leading to service interruption for the affected network elements.

Generated by OpenCVE AI on May 27, 2026 at 19:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade free5GC SMF to version 4.2.2 or later, which contains the fix that guards against nil dereferences and enforces authentication on UPI routes.
  • Restrict access to the DELETE /upi/v1/upNodesLinks endpoint so that only authenticated requests are accepted, for example by enabling OAuth2 middleware or applying firewall rules to block unauthenticated DELETE traffic.
  • As an interim measure, disable or remove the DELETE /upi/v1/upNodesLinks handler from the SMF deployment until a patch is applied, to prevent accidental crashes and topology changes.

Generated by OpenCVE AI on May 27, 2026 at 19:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p9mg-74mg-cwwr free5GC's SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating
History

Thu, 28 May 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*

Thu, 28 May 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. On top of that, the DELETE /upi/v1/upNodesLinks/{upNodeRef} handler unconditionally dereferences upNode.UPF after the type-guarded async release, even though AN-typed nodes are constructed without a UPF object. As a result, a single unauthenticated DELETE /upi/v1/upNodesLinks/gNB1 request crashes the handler with a nil-pointer panic AND mutates the in-memory user-plane topology before panicking (the UpNodeDelete(upNodeRef) line runs first). This is an unauthenticated, state-mutating panic-DoS sink that an off-path network attacker can trigger by name against any AN entry. This vulnerability is fixed in 4.2.2.
Title free5GC: SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating
Weaknesses CWE-306
CWE-476
CWE-862
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Free5gc Free5gc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T17:42:00.534Z

Reserved: 2026-05-05T19:00:06.023Z

Link: CVE-2026-44328

cve-icon Vulnrichment

Updated: 2026-05-27T17:40:40.955Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T17:16:38.347

Modified: 2026-06-17T10:50:30.707

Link: CVE-2026-44328

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:30:05Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function

  • CWE-476

    NULL Pointer Dereference

  • CWE-862

    Missing Authorization