free5GC NEF, Null Pointer Dereference, CVE-2026-44322 (High) -DC-May2026-4

Listen to this Post

Intro

free5GC is an open‑source implementation of the 5G core network. Prior to version 4.2.2, the NEF component exposes a PATCH endpoint:

`/3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId}`

When an upstream call to the Unified Data Repository (UDR) fails and the consumer wrapper returns both a non‑nil error and a nil `ProblemDetails` object, the handler enters a specific error branch. In this branch, the code correctly builds its own `problemDetailsErr` structure (e.g., with status 500 and a detail message). However, immediately after creating it, the handler dereferences `problemDetails.Cause` — not the locally built `problemDetailsErr` — but `problemDetails` itself is nil in this branch. This nil‑pointer dereference triggers a Go runtime panic. The Gin web framework recovers the panic and turns it into an HTTP 500 response.
Instead of returning the intended controlled error response, a single PATCH request yields an unhandled panic → HTTP 500 whenever the UDR is unreachable. Because the endpoint is mounted without authentication middleware, an attacker can repeat this condition and cause continuous service disruption (Denial of Service). The vulnerability is fixed in version 4.2.2 by correcting the dereference to use the locally built error structure.

DailyCVE Form

Platform: free5GC NEF
Version: <4.2.2
Vulnerability: Nil ptr deref
Severity: HIGH
date: 2026-05-27

Prediction: Already in 4.2.2

What Undercode Say

Verify vulnerable version
docker run --rm free5gc/nef:v4.2.1 --version
Trigger panic when UDR is unreachable
curl -X PATCH "http://<nef-ip>:8000/3gpp-pfd-management/v1/af1/transactions/tx1/applications/app1" \
-H "Content-Type: application/json" \
-d '{"pfdData": [{"applicationId": "test"}]}'
Expected outcome (nil panic):
HTTP/1.1 500 Internal Server Error
{"error":"runtime error: invalid memory address or nil pointer dereference"}

Exploit

An attacker sends a crafted PATCH request to the vulnerable endpoint while the UDR is unreachable (e.g., network partition, service crash). Because the NEF route is not protected by authentication, the request is processed directly. The nil‑pointer dereference crashes the NEF goroutine, which is recovered by Gin but logged as a panic. Repeated requests cause continuous HTTP 500 responses and log pollution, effectively denying legitimate PFD management operations.

Protection

  • Upgrade free5GC to v4.2.2 or newer (patch commit: 72a47f3).
  • Apply the one‑line code fix: replace `c.Set(sbi.IN_PB_DETAILS_CTX_STR, problemDetails.Cause)` with `c.Set(sbi.IN_PB_DETAILS_CTX_STR, problemDetailsErr.Cause)` in pfd.go.
  • Restrict inbound access to the NEF endpoint (e.g., use network ACLs or authentication proxy) until the upgrade is complete.
  • Monitor logs for `runtime error: invalid memory address` patterns to detect potential attacks.

Impact

  • Availability (High) – Repeated exploitation crashes the NEF component, disrupting 5G core network management functions that depend on PFD updates.
  • Confidentiality (None) – No data exposure.
  • Integrity (None) – No data tampering.
  • CVSS 3.1 score – 7.5 (High) (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
  • EPSS – ~0.05% probability of exploitation in the next 30 days (low, because the precondition requires UDR unavailability).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top