CVE-2026-44328
HighSummary
In versions prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. As a result, an unauthenticated DELETE /upi/v1/upNodesLinks/gNB1 request crashes the handler with a nil-pointer panic and mutates the in-memory user-plane topology.
Risk Assessment
An off-path network attacker can exploit this vulnerability to trigger a denial-of-service (DoS) and alter the system state, potentially disrupting the operation of the 5G network.
Recommendation
It is recommended to upgrade to version 4.2.2 or later to eliminate this vulnerability and secure the system against unauthorized access.
Original NVD description (English source)
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. On top of that, the DELETE /upi/v1/upNodesLinks/{upNodeRef} handler unconditionally dereferences upNode.UPF after the type-guarded async release, even though AN-typed nodes are constructed without a UPF object. As a result, a single unauthenticated DELETE /upi/v1/upNodesLinks/gNB1 request crashes the handler with a nil-pointer panic AND mutates the in-memory user-plane topology before panicking (the UpNodeDelete(upNodeRef) line runs first). This is an unauthenticated, state-mutating panic-DoS sink that an off-path network attacker can trigger by name against any AN entry. This vulnerability is fixed in 4.2.2.

