CVE-2026-44321
HighSummary
In versions prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. An attacker can send malicious JSON, leading to a crash of the entire SMF process on invalid data.
Risk Assessment
The organization may experience significant disruptions in the operation of the 5G network, potentially leading to service unavailability and security data issues.
Recommendation
It is recommended to upgrade to version 4.2.2 or later to mitigate this vulnerability and implement appropriate security mechanisms for incoming requests.
Original NVD description (English source)
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. The POST /upi/v1/upNodesLinks create-or-update handler accepts attacker-controlled JSON and passes it directly into UpNodesFromConfiguration(), which calls logger.InitLog.Fatalf(...) on several validation failures. One confirmed path is the UE-IP-pool overlap check: a single unauthenticated POST that adds a new UPF whose pool overlaps an existing UPF terminates the entire SMF process (docker ps shows Exited (1)), not just the goroutine. This vulnerability is fixed in 4.2.2.

