CVE-2026-44323

MEDIUM 4.3

free5GC: UDR nudr-dr DELETE amf-subscriptions panics on missing subsId when UE state exists (nil pointer dereference)

CVSS Score

4.3

EPSS Score

0.1%

EPSS Percentile

18th

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks _, ok = UESubsData.EeSubscriptionCollection[subsId] and sets a 404 problem-details on the miss path, but then continues to UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos -- dereferencing the same missing entry instead of returning. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2.

CWE	CWE-476
Vendor	free5gc
Product	free5gc
Published	May 27, 2026
Last Updated	Jun 1, 2026

Stay Ahead of the Next One

Get instant alerts for free5gc free5gc

Be the first to know when new medium vulnerabilities affecting free5gc free5gc are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Affected Versions

free5gc / free5gc

< 4.2.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/free5gc/free5gc/security/advisories/GHSA-4rqf-grm6-vf75 github.com: https://github.com/free5gc/free5gc/issues/919 github.com: https://github.com/free5gc/udr/pull/60 github.com: https://github.com/free5gc/udr/commit/8a1d3c63be99d378806d771f086ff32f1867da99