CVE-2026-44323
MEDIUMfree5GC: UDR nudr-dr DELETE amf-subscriptions panics on missing subsId when UE state exists (nil pointer dereference)
Title source: cnaDescription
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks _, ok = UESubsData.EeSubscriptionCollection[subsId] and sets a 404 problem-details on the miss path, but then continues to UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos -- dereferencing the same missing entry instead of returning. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/free5gc/free5gc/security/advisories/GHSA-4rqf-grm6-vf75
X_Refsource_Misc x_refsource_misc
https://github.com/free5gc/free5gc/issues/919
X_Refsource_Misc x_refsource_misc
https://github.com/free5gc/udr/pull/60
X_Refsource_Misc x_refsource_misc
https://github.com/free5gc/udr/commit/8a1d3c63be99d378806d771f086ff32f1867da99
Scores
CVSS v3
4.3
EPSS
0.0032
EPSS Percentile
24.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Details
CWE
CWE-476
Status
published
Products (2)
free5gc/free5gc
< 4.2.2 (2 CPE variants)
free5gc/udr
0 - 1.4.3Go
Published
May 27, 2026
Tracked Since
May 27, 2026