Perceptive Security
SOC/SIEM Consultancy
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF terminates the entire process when a stored PFD-subscription noti…
Published:
26 May 2026 at 22:00:00
Alert date:
27 May 2026 at 20:13:41
Source:
nvd.nist.gov
Mobile & IoT, Network Infrastructure, Critical Infrastructure
CVE-2026-44319 affects free5GC, an open-source 5G core network implementation. Prior to version 4.2.2, the NEF (Network Exposure Function) component terminates the entire process when a PFD-subscription notifyUri cannot be reached. An attacker can create a PFD subscription with a malicious notifyUri and trigger a PFD change to deterministically kill the NEF process. The vulnerability occurs in PfdChangeNotifier.FlushNotifications() where delivery errors invoke logger.PFDManageLog.Fatal(err), equivalent to os.Exit(1) in Go. This causes the NEF's entire SBI surface to drop until restart. The issue has been fixed in version 4.2.2.
Technical details
Mitigation steps:
Affected products:
free5GC
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-44319
https://github.com/free5gc/free5gc/issues/924
https://github.com/free5gc/free5gc/security/advisories/GHSA-rxrq-fv76-26pr
https://github.com/free5gc/nef/commit/f110517b1189801950b50668a593398687049074
https://github.com/free5gc/nef/pull/25
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.