CVE-2026-44328

HIGH

free5GC: SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating

Title source: cna
STIX 2.1

Description

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. On top of that, the DELETE /upi/v1/upNodesLinks/{upNodeRef} handler unconditionally dereferences upNode.UPF after the type-guarded async release, even though AN-typed nodes are constructed without a UPF object. As a result, a single unauthenticated DELETE /upi/v1/upNodesLinks/gNB1 request crashes the handler with a nil-pointer panic AND mutates the in-memory user-plane topology before panicking (the UpNodeDelete(upNodeRef) line runs first). This is an unauthenticated, state-mutating panic-DoS sink that an off-path network attacker can trigger by name against any AN entry. This vulnerability is fixed in 4.2.2.

References (4)

Core 4

Scores

CVSS v3 8.2
EPSS 0.0030
EPSS Percentile 21.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-306 CWE-476 CWE-862
Status published
Products (2)
free5gc/free5gc < 4.2.2 (2 CPE variants)
free5gc/smf 0 - 1.4.3Go
Published May 27, 2026
Tracked Since May 27, 2026