CVE-2026-33064

Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to procedure panic caused by Nil Pointer Dereference in the /sdm-subscriptions endpoint. A remote attacker can cause the UDM service to panic and crash by sending a crafted POST request to the /sdm-subscriptions endpoint with a malformed URL path containing path traversal sequences (../) and a large JSON payload. The DataChangeNotificationProcedure function in notifier.go attempts to access a nil pointer without proper validation, causing a complete service crash with "runtime error: invalid memory address or nil pointer dereference". Exploitation would result in UDM functionality disruption until recovery by restart. This issue has been fixed in version 1.4.2.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/free5gc/free5gc/issues/781	Exploit Issue Tracking Patch Vendor Advisory
https://github.com/free5gc/free5gc/security/advisories/GHSA-7g27-v5wj-jr75	Patch Vendor Advisory
https://github.com/free5gc/udm/commit/65d7070f4bfd016864cbbaefbd506bbc85d2fa92	Patch
https://github.com/free5gc/udm/pull/78	Issue Tracking Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:free5gc:udm:*:*:*:*:*:go:*:*

History

23 Mar 2026, 18:43

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:free5gc:udm::::::go::*
References	~~() https://github.com/free5gc/free5gc/issues/781 -~~	() https://github.com/free5gc/free5gc/issues/781 - Exploit, Issue Tracking, Patch, Vendor Advisory
References	~~() https://github.com/free5gc/free5gc/security/advisories/GHSA-7g27-v5wj-jr75 -~~	() https://github.com/free5gc/free5gc/security/advisories/GHSA-7g27-v5wj-jr75 - Patch, Vendor Advisory
References	~~() https://github.com/free5gc/udm/commit/65d7070f4bfd016864cbbaefbd506bbc85d2fa92 -~~	() https://github.com/free5gc/udm/commit/65d7070f4bfd016864cbbaefbd506bbc85d2fa92 - Patch
References	~~() https://github.com/free5gc/udm/pull/78 -~~	() https://github.com/free5gc/udm/pull/78 - Issue Tracking, Patch
CWE		CWE-476
Summary		(es) Free5GC es un proyecto de código abierto de la Linux Foundation para redes centrales móviles de quinta generación (5G). Las versiones anteriores a la 1.4.2 son vulnerables a un pánico de procedimiento causado por una desreferenciación de puntero nulo (Nil Pointer Dereference) en el endpoint /sdm-subscriptions. Un atacante remoto puede causar que el servicio UDM entre en pánico y falle enviando una solicitud POST manipulada al endpoint /sdm-subscriptions con una ruta URL malformada que contenga secuencias de salto de ruta (../) y una carga útil JSON grande. La función DataChangeNotificationProcedure en notifier.go intenta acceder a un puntero nulo sin la validación adecuada, lo que provoca un fallo completo del servicio con el error 'runtime error: invalid memory address or nil pointer dereference'. La explotación resultaría en la interrupción de la funcionalidad del UDM hasta su recuperación mediante un reinicio. Este problema ha sido solucionado en la versión 1.4.2.
First Time		Free5gc udm Free5gc

20 Mar 2026, 08:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 08:16

Updated : 2026-03-23 18:43

NVD link : CVE-2026-33064

Mitre link : CVE-2026-33064

CVE.ORG link : CVE-2026-33064

JSON object : View

Products Affected

free5gc

CWE

CWE-478

Missing Default Case in Multiple Condition Expression

CWE-476

NULL Pointer Dereference

7.5 /10