free5GC UDR, Fail-open request handling, CVE-2026-40343 (Moderate)

Listen to this Post

The core of this vulnerability is a fail‑open flaw in the UDR service’s `HandlePolicyDataSubsToNotifyPost` function. This handler processes POST requests to `/nudr-dr/v2/policy-data/subs-to-notify` and is intended to create a Policy Data notification subscription only after a valid request body has been successfully read and parsed.

The flawed request flow proceeds as follows:

  1. The handler calls `c.GetRawData()` to retrieve the HTTP request body.
  2. If `GetRawData()` fails, the handler sends an HTTP 500 error response but does not return.

3. The handler then calls `openapi.Deserialize(policyDataSubscription, reqBody, “application/json”)`.

  1. If deserialization fails, the handler sends an HTTP 400 error response but again does not return.
  2. Regardless of the errors, execution continues and invokes s.Processor().PolicyDataSubsToNotifyPostProcedure(c, policyDataSubscription).
    Because the handler does not abort the request after a failure, the processor may receive an uninitialised, partially initialised, or otherwise unintended `PolicyDataSubscription` object. This differs from safer handlers in the same file that use a helper pattern to explicitly return on body read or deserialisation failures.
    The exact runtime impact depends on downstream processor behaviour and storage validation, but at minimum this is a security‑relevant robustness flaw that can lead to inconsistent request handling and, under certain conditions, the creation of invalid or unintended subscription state. The code path has been statically confirmed, though a complete runtime proof of unintended subscription creation has not yet been established.
    The recommended patch adds missing `return` statements after each error response and corrects the deserialisation call to pass a pointer to the destination object.

    Platform: free5GC UDR
    Version: 4.2.1 and below
    Vulnerability: Fail-open error handling
    Severity: Moderate
    date: 2026-04-21
    Prediction: Patch available 2026-04-21
    

Analytics under What Undercode Say:

Check running UDR version
free5gc-udr --version
Simulate a malformed request to trigger fail-open behaviour
curl -X POST http://<udr-host>:29503/nudr-dr/v2/policy-data/subs-to-notify \
-H "Content-Type: application/json" \
-d '{"invalid": "json"}' \
-v
Monitor logs for error responses followed by continued processing
tail -f /var/log/free5gc/udr.log | grep -E "Get Request Body error|Deserialize Request Body error|PolicyDataSubsToNotifyPostProcedure"

Exploit:

An attacker can send a POST request to `/nudr-dr/v2/policy-data/subs-to-notify` with an invalid or empty body (e.g., {}). Despite the UDR returning an HTTP 400 or 500 error, the processor is still invoked with a malformed `PolicyDataSubscription` object. Depending on how the downstream processor and storage handle such objects, this may result in the creation of an unintended subscription or other inconsistent state.

Protection from this CVE:

  • Apply the official patch that adds missing `return` statements and corrects the deserialisation call.
  • Upgrade to a patched version of free5GC UDR (e.g., version >4.2.1).
  • If patching is not immediately possible, implement a reverse proxy or API gateway that validates the request body before forwarding it to the UDR, rejecting malformed requests before they reach the vulnerable handler.

Impact:

  • Inconsistent subscription state: The UDR may create subscriptions with empty, partially initialised, or invalid data, leading to unpredictable behaviour in the 5G core network.
  • Bypass of input validation: Because execution continues after errors, the usual input validation and error‑handling mechanisms are effectively bypassed.
  • Potential for further abuse: While the exact consequences depend on the downstream processor, this flaw could be chained with other issues to compromise the integrity of policy data.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top