CVE-2026-33064

Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to procedure panic caused by Nil Pointer Dereference in the /sdm-subscriptions endpoint. A remote attacker can cause the UDM service to panic and crash by sending a crafted POST request to the /sdm-subscriptions endpoint with a malformed URL path containing path traversal sequences (../) and a large JSON payload. The DataChangeNotificationProcedure function in notifier.go attempts to access a nil pointer without proper validation, causing a complete service crash with "runtime error: invalid memory address or nil pointer dereference". Exploitation would result in UDM functionality disruption until recovery by restart. This issue has been fixed in version 1.4.2.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/free5gc/free5gc/issues/781	Exploit Issue Tracking Patch Vendor Advisory
https://github.com/free5gc/free5gc/security/advisories/GHSA-7g27-v5wj-jr75	Patch Vendor Advisory
https://github.com/free5gc/udm/commit/65d7070f4bfd016864cbbaefbd506bbc85d2fa92	Patch
https://github.com/free5gc/udm/pull/78	Issue Tracking Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:free5gc:udm:*:*:*:*:*:go:*:*

History

No history.

Information

Published : 2026-03-20 08:16

Updated : 2026-03-23 18:43

NVD link : CVE-2026-33064

Mitre link : CVE-2026-33064

CVE.ORG link : CVE-2026-33064

JSON object : View

Products Affected

free5gc

udm

CWE

CWE-478

Missing Default Case in Multiple Condition Expression

CWE-476

NULL Pointer Dereference

{"id": "CVE-2026-33064", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-20T08:16:12.257", "references": [{"url": "https://github.com/free5gc/free5gc/issues/781", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-7g27-v5wj-jr75", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/free5gc/udm/commit/65d7070f4bfd016864cbbaefbd506bbc85d2fa92", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/free5gc/udm/pull/78", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-478"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to procedure panic caused by Nil Pointer Dereference in the /sdm-subscriptions endpoint. A remote attacker can cause the UDM service to panic and crash by sending a crafted POST request to the /sdm-subscriptions endpoint with a malformed URL path containing path traversal sequences (../) and a large JSON payload. The DataChangeNotificationProcedure function in notifier.go attempts to access a nil pointer without proper validation, causing a complete service crash with \"runtime error: invalid memory address or nil pointer dereference\". Exploitation would result in UDM functionality disruption until recovery by restart. This issue has been fixed in version 1.4.2."}, {"lang": "es", "value": "Free5GC es un proyecto de c\u00f3digo abierto de la Linux Foundation para redes centrales m\u00f3viles de quinta generaci\u00f3n (5G). Las versiones anteriores a la 1.4.2 son vulnerables a un p\u00e1nico de procedimiento causado por una desreferenciaci\u00f3n de puntero nulo (Nil Pointer Dereference) en el endpoint /sdm-subscriptions. Un atacante remoto puede causar que el servicio UDM entre en p\u00e1nico y falle enviando una solicitud POST manipulada al endpoint /sdm-subscriptions con una ruta URL malformada que contenga secuencias de salto de ruta (../) y una carga \u00fatil JSON grande. La funci\u00f3n DataChangeNotificationProcedure en notifier.go intenta acceder a un puntero nulo sin la validaci\u00f3n adecuada, lo que provoca un fallo completo del servicio con el error 'runtime error: invalid memory address or nil pointer dereference'. La explotaci\u00f3n resultar\u00eda en la interrupci\u00f3n de la funcionalidad del UDM hasta su recuperaci\u00f3n mediante un reinicio. Este problema ha sido solucionado en la versi\u00f3n 1.4.2."}], "lastModified": "2026-03-23T18:43:25.237", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:free5gc:udm:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "C4C4212B-95F4-49DD-B6DA-F6DF4D8D7257", "versionEndExcluding": "1.4.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}