free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 midd…

CVE-2026-44328 affects free5GC, an open-source 5G core network implementation. Prior to version 4.2.2, the SMF component mounts UPI management routes without OAuth2 authentication middleware. The DELETE endpoint for upNodesLinks unconditionally dereferences upNode.UPF after type-guarded async release, even though AN-typed nodes lack UPF objects. An unauthenticated DELETE request to /upi/v1/upNodesLinks/gNB1 causes nil-pointer panic and mutates in-memory user-plane topology before crashing. This creates an unauthenticated denial-of-service vulnerability that off-path network attackers can trigger by name against any AN entry. Fixed in version 4.2.2.