CVE-2026-44317

MEDIUM 6.5

free5GC: PCF npcf-policyauthorization POST /app-sessions panics on suppFeat=1 with missing AfRoutReq via nil pointer dereference

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

15th

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's PCF POST /npcf-policyauthorization/v1/app-sessions handler panics on a single authenticated request whose ascReqData.suppFeat == "1" (enabling traffic-routing feature negotiation) and whose medComponents entries supply an afAppId but NO AfRoutReq. The create path then calls provisioningOfTrafficRoutingInfo(smPolicy, appID, routeReq, ...) with routeReq == nil and dereferences routeReq.RouteToLocs (and other fields) without a nil check, causing runtime error: invalid memory address or nil pointer dereference. Gin recovery converts the panic into HTTP 500. This vulnerability is fixed in 4.2.2.

CWE	CWE-476 CWE-754
Vendor	free5gc
Product	free5gc
Published	May 27, 2026
Last Updated	May 28, 2026

Stay Ahead of the Next One

Get instant alerts for free5gc free5gc

Be the first to know when new medium vulnerabilities affecting free5gc free5gc are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

free5gc / free5gc

< 4.2.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/free5gc/free5gc/security/advisories/GHSA-wwqh-7jm5-gj7w github.com: https://github.com/free5gc/free5gc/issues/879 github.com: https://github.com/free5gc/pcf/pull/65 github.com: https://github.com/free5gc/pcf/commit/508d70b8527a6c8c923179dad450ea01e16b6aeb