top of page
perceptive_background_267k.jpg

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 midd…

Published:

26 May 2026 at 22:00:00

Alert date:

27 May 2026 at 20:13:41

Source:

nvd.nist.gov

Click to open the original link from this advisory

Network Infrastructure, Mobile & IoT, Critical Infrastructure

CVE-2026-44321 affects free5GC, an open-source 5G core network implementation. Prior to version 4.2.2, the SMF component mounts the UPI management route group without OAuth2 middleware protection. An unauthenticated attacker can send a malicious POST request to /upi/v1/upNodesLinks with crafted JSON that triggers validation failures in UpNodesFromConfiguration(). The UE-IP-pool overlap check causes logger.InitLog.Fatalf() to terminate the entire SMF process, creating a denial of service condition. The vulnerability allows complete SMF process termination through a single unauthenticated request, making it a high-severity issue for 5G network infrastructure. The issue is fixed in version 4.2.2.

Technical details

Mitigation steps:

Affected products:

free5GC

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-44321
https://github.com/free5gc/free5gc/issues/906
https://github.com/free5gc/free5gc/security/advisories/GHSA-44qj-cghf-9p97
https://github.com/free5gc/smf/commit/e0974e07ddab44a67d36a563cca383b2449e33e5
https://github.com/free5gc/smf/pull/203

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page