CVE-2026-33191

Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to null byte injection in URL path parameters. A remote attacker can inject null bytes (URL-encoded as %00) into the supi path parameter of the UDM's Nudm_SubscriberDataManagement API. This causes URL parsing failure in Go's net/url package with the error "invalid control character in URL", resulting in a 500 Internal Server Error. This null byte injection vulnerability can be exploited for denial of service attacks. When the supi parameter contains null characters, the UDM attempts to construct a URL for UDR that includes these control characters. Go's URL parser rejects them, causing the request to fail with 500 instead of properly validating input and returning 400 Bad Request. This issue has been fixed in version 1.4.2.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/free5gc/free5gc/security/advisories/GHSA-p9hg-pq3q-v9gv	Patch Vendor Advisory
https://github.com/free5gc/udm/commit/88de9fa74a1b3f3522e53b4cfa2d184712ffa4ee	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:free5gc:udm:*:*:*:*:*:go:*:*

History

23 Mar 2026, 18:24

Type	Values Removed	Values Added
References	~~() https://github.com/free5gc/free5gc/security/advisories/GHSA-p9hg-pq3q-v9gv -~~	() https://github.com/free5gc/free5gc/security/advisories/GHSA-p9hg-pq3q-v9gv - Patch, Vendor Advisory
References	~~() https://github.com/free5gc/udm/commit/88de9fa74a1b3f3522e53b4cfa2d184712ffa4ee -~~	() https://github.com/free5gc/udm/commit/88de9fa74a1b3f3522e53b4cfa2d184712ffa4ee - Patch
Summary		(es) Free5GC es un proyecto de código abierto de la Linux Foundation para redes centrales móviles de quinta generación (5G). Las versiones anteriores a la 1.4.2 son vulnerables a la inyección de bytes nulos en los parámetros de ruta de URL. Un atacante remoto puede inyectar bytes nulos (codificados en URL como %00) en el parámetro de ruta supi de la API Nudm_SubscriberDataManagement del UDM. Esto causa un fallo en el análisis de URL en el paquete net/url de Go con el error 'invalid control character in URL', lo que resulta en un error 500 Internal Server Error. Esta vulnerabilidad de inyección de bytes nulos puede ser explotada para ataques de denegación de servicio. Cuando el parámetro supi contiene caracteres nulos, el UDM intenta construir una URL para UDR que incluye estos caracteres de control. El analizador de URL de Go los rechaza, lo que provoca que la solicitud falle con 500 en lugar de validar correctamente la entrada y devolver 400 Bad Request. Este problema ha sido solucionado en la versión 1.4.2.
CPE		cpe:2.3:a:free5gc:udm::::::go::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.6
First Time		Free5gc udm Free5gc

20 Mar 2026, 08:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 08:16

Updated : 2026-03-23 18:24

NVD link : CVE-2026-33191

Mitre link : CVE-2026-33191

CVE.ORG link : CVE-2026-33191

JSON object : View

Products Affected

free5gc

CWE

CWE-158

Improper Neutralization of Null Byte or NUL Character

CWE-248

Uncaught Exception

8.6 /10