free5GC, Concurrent Map Access, CVE-2026-44318 (Medium) -DC-May2026-21

Listen to this Post

Intro

CVE-2026-44318 affects free5GC, an open‑source 5G core network implementation. The vulnerability resides in the BSF (Binding Support Function) component, specifically the HTTP PUT handler for /nbsf-management/v1/subscriptions/{subId}.
In normal operation, the handler retrieves a subscription by calling BSFContext.GetSubscription(subId). This function reads from a global `Subscriptions` map while holding a read lock (RLock()). If the subscription does not exist, the code proceeds to ReplaceIndividualSubscription(), which writes a new entry directly into the same global map using `bsfContext.BsfSelf.Subscriptions

 = subscription` — without acquiring the write lock.
Under concurrent authenticated PUT requests, one goroutine may be reading the map (under the read lock) while another goroutine writes to the same map without any lock. The Go runtime detects this unsynchronized concurrent read/write and immediately aborts the process with a fatal error: <code>fatal error: concurrent map read and map write</code>.
Unlike a recoverable panic, this fatal error bypasses `recover()` and terminates the BSF container. The process exits with code 2, taking down the entire BSF Service‑Based Interface (SBI) surface. The only recovery is a full container restart.
The vulnerability is triggered only under load with multiple authenticated PUT requests racing to create the same non‑existent subscription. No explicit data corruption or memory safety issue occurs, but the availability impact is severe for any 5G core relying on BSF. The flaw was fixed in version 4.2.2 by ensuring that writes to the global map are protected by the same mutex used for reads.

<h2 style="color: blue;">DailyCVE Form:</h2>

Platform: free5GC BSF
Version: prior 4.2.2
Vulnerability: Concurrent map write
Severity: Medium
date: 28 May 2026

<h2 style="color: blue;">Prediction: 27 May 2026</h2>

<h2 style="color: blue;">What Undercode Say:</h2>

[bash]
Check free5GC version (from bsf binary)
./bsf --version
Simulate concurrent PUT race condition
for i in {1..100}; do
curl -X PUT http://bsf-sbi/nbsf-management/v1/subscriptions/non-existent-id \
-H "Content-Type: application/json" -d '{"subscriptionData":{}}' &
done
Monitor BSF container exit code
docker ps -a | grep bsf
docker inspect <bsf-container> --format='{{.State.ExitCode}}'
Observe fatal error in logs
kubectl logs -f bsf-pod | grep "concurrent map"

Exploit:

Authenticated attacker sends many concurrent PUT requests to create the same missing subscription ID. The racing goroutines cause an unsynchronized map write, crashing the BSF process. No special payload needed – only timing and parallel requests.

Protection:

Upgrade to free5GC 4.2.2 or later. If patching is not immediate, deploy a reverse proxy that rate‑limits or serializes PUT requests to /nbsf-management/v1/subscriptions/. Use admission controllers to reduce concurrency, or run BSF with automated restart (e.g., Kubernetes restartPolicy: Always).

Impact:

Denial of service of the BSF component. All 5G core functions that rely on BSF (e.g., PCF session binding, policy association) become unavailable until the container restarts. Repeated exploitation can keep BSF offline, disrupting network operations. No data leak or code execution.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top