Common Weakness Enumeration

CWE-754

Allowed-with-Review

Improper Check for Unusual or Exceptional Conditions

Abstraction: Class · Status: Incomplete

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

905 vulnerabilities reference this CWE, most recent first.

GHSA-WGRM-67XF-HHPQ

Vulnerability from github – Published: 2024-05-07 10:25 – Updated: 2026-05-13 15:25
VLAI
Summary
PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF
Details

Impact

If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

The patch removes the use of eval: https://github.com/mozilla/pdf.js/pull/18015

Workarounds

Set the option isEvalSupported to false.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.1.392"
      },
      "package": {
        "ecosystem": "npm",
        "name": "pdfjs-dist"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.67"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-4367"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-07T10:25:08Z",
    "nvd_published_at": "2024-05-14T18:15:12Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nIf pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.\n\n### Patches\nThe patch removes the use of `eval`:\nhttps://github.com/mozilla/pdf.js/pull/18015\n\n### Workarounds\nSet the option `isEvalSupported` to `false`. \n\n### References\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1893645",
  "id": "GHSA-wgrm-67xf-hhpq",
  "modified": "2026-05-13T15:25:01Z",
  "published": "2024-05-07T10:25:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4367"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/issues/7928"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/pdf.js/pull/18015"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1893645"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-827383.html"
    },
    {
      "type": "WEB",
      "url": "https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mozilla/pdf.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/pdf.js/releases/tag/v4.2.67"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/52273"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-21"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-22"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-23"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Aug/30"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF"
}

GHSA-WGVC-QG48-G9X7

Vulnerability from github – Published: 2026-02-04 21:30 – Updated: 2026-02-04 21:30
VLAI
Details

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0944"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-04T21:15:58Z",
    "severity": "MODERATE"
  },
  "details": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4.",
  "id": "GHSA-wgvc-qg48-g9x7",
  "modified": "2026-02-04T21:30:32Z",
  "published": "2026-02-04T21:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0944"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2026-001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WH6W-69XC-5RQ5

Vulnerability from github – Published: 2022-06-07 00:00 – Updated: 2022-06-07 21:15
VLAI
Summary
Improper Check for Unusual or Exceptional Conditions in Elasticsearch
Details

A Denial of Service flaw was discovered in Elasticsearch 8.0.0 through 8.2.0. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request. Version 8.2.1 contains a patch.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.elasticsearch:elasticsearch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23712"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-07T21:15:18Z",
    "nvd_published_at": "2022-06-06T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A Denial of Service flaw was discovered in Elasticsearch 8.0.0 through 8.2.0. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request. Version 8.2.1 contains a patch.",
  "id": "GHSA-wh6w-69xc-5rq5",
  "modified": "2022-06-07T21:15:18Z",
  "published": "2022-06-07T00:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23712"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/elastic-stack-7-17-4-and-8-2-1-security-update/305530"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/elastic/elasticsearch"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220707-0010"
    },
    {
      "type": "WEB",
      "url": "https://www.elastic.co/community/security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Check for Unusual or Exceptional Conditions in Elasticsearch"
}

GHSA-WJJJ-24CX-F28G

Vulnerability from github – Published: 2026-07-01 20:04 – Updated: 2026-07-01 20:04
VLAI
Summary
SurrealDB has unauthenticated remote DoS via malformed RPC `use` call
Details

A single unauthenticated WebSocket message to /rpc crashed the SurrealDB server. Sending use { db: "x" } without first selecting a namespace hit .expect("namespace should be set") in the use handler; because surrealdb-core is built with panic = 'abort', the panic terminated the process. use is callable before signin, and the per-method capability check passes by default for guest callers — so no credentials, token, or --allow-guests flag are required.

Impact

An unauthenticated remote attacker who could reach the /rpc endpoint could crash the SurrealDB server with a single WebSocket message. No credentials, token, session knowledge, or capability are required.

Patches

A patch has been introduced that returns a typed invalid_params response when db is set on a session with no ns, replacing the panic.

  • Versions 3.1.0 and later are not affected by this issue.

Workarounds

Affected users who are unable to update should restrict network access to the /rpc endpoint to trusted clients, and run SurrealDB under a process supervisor that restarts on crash.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-01T20:04:22Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "A single unauthenticated WebSocket message to `/rpc` crashed the SurrealDB server. Sending `use { db: \"x\" }` without first selecting a namespace hit `.expect(\"namespace should be set\")` in the `use` handler; because `surrealdb-core` is built with `panic = \u0027abort\u0027`, the panic terminated the process. `use` is callable before `signin`, and the per-method capability check passes by default for guest callers \u2014 so no credentials, token, or `--allow-guests` flag are required.\n\n### Impact\n\nAn unauthenticated remote attacker who could reach the `/rpc` endpoint could crash the SurrealDB server with a single WebSocket message. No credentials, token, session knowledge, or capability are required.\n\n### Patches\n\nA patch has been introduced that returns a typed `invalid_params` response when `db` is set on a session with no `ns`, replacing the panic.\n\n- Versions 3.1.0 and later are not affected by this issue.\n\n### Workarounds\n\nAffected users who are unable to update should restrict network access to the `/rpc` endpoint to trusted clients, and run SurrealDB under a process supervisor that restarts on crash.",
  "id": "GHSA-wjjj-24cx-f28g",
  "modified": "2026-07-01T20:04:22Z",
  "published": "2026-07-01T20:04:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-wjjj-24cx-f28g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/commit/1537ec4fbd789c61a5b43b648a854577dbe31a34"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SurrealDB has unauthenticated remote DoS via malformed RPC `use` call"
}

GHSA-WMP3-PHMX-X8Q8

Vulnerability from github – Published: 2026-01-28 21:31 – Updated: 2026-01-28 21:31
VLAI
Details

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing.This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14840"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-28T20:16:08Z",
    "severity": null
  },
  "details": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing.This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1.",
  "id": "GHSA-wmp3-phmx-x8q8",
  "modified": "2026-01-28T21:31:23Z",
  "published": "2026-01-28T21:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14840"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2025-126"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WP34-JMP7-4Q9F

Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2022-05-24 16:46
VLAI
Details

A CWE-248 Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a Denial of Service when sending invalid breakpoint parameters to the controller over Modbus

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7855"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-22T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "A CWE-248 Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a Denial of Service when sending invalid breakpoint parameters to the controller over Modbus",
  "id": "GHSA-wp34-jmp7-4q9f",
  "modified": "2022-05-24T16:46:14Z",
  "published": "2022-05-24T16:46:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7855"
    },
    {
      "type": "WEB",
      "url": "https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0766"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0767"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WP62-MP77-8HGF

Vulnerability from github – Published: 2022-12-21 06:30 – Updated: 2022-12-21 06:30
VLAI
Details

In sysmmu_map of sysmmu.c, there is a possible EoP due to a precondition check failure. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-238785915References: N/A

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20588"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-16T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In sysmmu_map of sysmmu.c, there is a possible EoP due to a precondition check failure. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-238785915References: N/A",
  "id": "GHSA-wp62-mp77-8hgf",
  "modified": "2022-12-21T06:30:30Z",
  "published": "2022-12-21T06:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20588"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2022-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WP8H-P32H-FWVC

Vulnerability from github – Published: 2024-02-20 15:31 – Updated: 2024-11-12 21:30
VLAI
Details

The incorrect object was checked for NULL in the built-in profiler, potentially leading to invalid memory access and undefined behavior. Note: This issue only affects the application when the profiler is running. This vulnerability affects Firefox < 123.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1556"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-20T14:15:09Z",
    "severity": "MODERATE"
  },
  "details": "The incorrect object was checked for NULL in the built-in profiler, potentially leading to invalid memory access and undefined behavior. *Note:* This issue only affects the application when the profiler is running. This vulnerability affects Firefox \u003c 123.",
  "id": "GHSA-wp8h-p32h-fwvc",
  "modified": "2024-11-12T21:30:49Z",
  "published": "2024-02-20T15:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1556"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1870414"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WPR6-P2F8-XGCJ

Vulnerability from github – Published: 2022-12-13 18:30 – Updated: 2022-12-15 15:32
VLAI
Details

In loadFromXml of ShortcutPackage.java, there is a possible crash on boot due to an uncaught exception. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-246540168

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20500"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754",
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-13T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In loadFromXml of ShortcutPackage.java, there is a possible crash on boot due to an uncaught exception. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-246540168",
  "id": "GHSA-wpr6-p2f8-xgcj",
  "modified": "2022-12-15T15:32:13Z",
  "published": "2022-12-13T18:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20500"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2022-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WR8J-6CHW-GM6P

Vulnerability from github – Published: 2026-05-08 22:39 – Updated: 2026-06-08 23:47
VLAI
Summary
free5GC's PCF npcf-smpolicycontrol POST /sm-policies panics on downstream UDR/OpenAPI 404 via nil pointer dereference
Details

Summary

free5GC's PCF POST /npcf-smpolicycontrol/v1/sm-policies handler (HandleCreateSmPolicyRequest) panics with a nil-pointer dereference when a downstream OpenAPI consumer call (UDR lookup) returns 404 Not Found and the consumer wrapper returns err != nil together with a nil response struct. The handler logs the OpenAPI error and continues executing instead of returning, then dereferences the nil response struct on a subsequent line and panics. Gin recovery converts the panic into HTTP 500, so a single attacker-shaped POST returns 500 instead of a clean 4xx whenever the downstream lookup fails. The PCF process keeps running.

The trigger is a single POST containing input that causes the downstream UDR lookup to fail (e.g. an unknown DNN). In v4.2.1 this endpoint is also reachable WITHOUT an Authorization header because the PCF Npcf_SMPolicyControl route group is mounted without inbound auth middleware (see free5gc/free5gc#844). So in the validation lab the trigger is fully unauthenticated.

Details

Validated against the PCF container in the official Docker compose lab. - free5GC version: v4.1.0 (originally reported on v4.1.0; same defect present in v4.2.1) - PCF endpoint: http://10.100.200.9:8000

Vulnerable handler path (paraphrased from the captured stack trace):

[INFO][PCF][SMpolicy] Handle CreateSmPolicy
[ERRO][PCF][Consumer] openapi error: 404, Not Found
[ERRO][PCF][GIN] panic: runtime error: invalid memory address or nil pointer dereference
  github.com/free5gc/pcf/internal/sbi/processor.(*Processor).HandleCreateSmPolicyRequest
      /go/src/free5gc/NFs/pcf/internal/sbi/processor/smpolicy.go:82 +0x562
  github.com/free5gc/pcf/internal/sbi.(*Server).HTTPCreateSMPolicy
      /go/src/free5gc/NFs/pcf/internal/sbi/api_smpolicy.go:86 +0x405

The handler's UDR-failure branch logs the OpenAPI error but does not return; the next line dereferences the nil response struct.

Code evidence (paths in free5gc/pcf): - Panic site: - NFs/pcf/internal/sbi/processor/smpolicy.go:82 - Route dispatch: - NFs/pcf/internal/sbi/api_smpolicy.go:86

PoC

Reproduced end-to-end against the running PCF at http://10.100.200.9:8000.

Send a single POST whose dnn is unknown to UDR -- this drives the downstream OpenAPI call to return 404 Not Found, which then triggers the nil-deref panic:

curl -sS -X POST 'http://10.100.200.9:8000/npcf-smpolicycontrol/v1/sm-policies' \
  -H 'Content-Type: application/json' \
  -d '{
    "supi":"imsi-208930000000003",
    "pduSessionId":1,
    "dnn":"internet-bad",
    "sliceInfo":{"sst":1,"sd":"010203"},
    "servingNetwork":{"mcc":"208","mnc":"93"},
    "accessType":"3GPP_ACCESS",
    "notificationUri":"http://smf.free5gc.org:8000/npcf-smpolicycontrol/v1/notify"
  }'

Observed response: HTTP 500 Internal Server Error with empty body.

PCF container logs show:

[INFO][PCF][SMpolicy] Handle CreateSmPolicy
[ERRO][PCF][Consumer] openapi error: 404, Not Found
[ERRO][PCF][GIN] panic: runtime error: invalid memory address or nil pointer dereference
  ...HandleCreateSmPolicyRequest at smpolicy.go:82...

The Gin recovery middleware catches the panic (the captured stack trace runs inside ginRecover.func2.1), so the PCF process keeps serving other requests; the realized impact is per-request HTTP 500 on this endpoint whenever the downstream lookup fails.

Impact

NULL pointer dereference (CWE-476) caused by improper handling of an exceptional branch (CWE-754): the UDR-failure branch logs the OpenAPI error but does not return, then dereferences the nil response struct. The intended behavior is to return a controlled 4xx/5xx ProblemDetails and stop processing.

Gin recovery catches the panic, so the PCF process is NOT killed and other endpoints continue serving. The realized impact is per-request: any unauthenticated POST that drives the downstream UDR lookup to a 404 returns HTTP 500 (with empty body and a stack trace in PCF logs) instead of a controlled error response.

No Confidentiality impact (the response is 500 with empty body). No persistent Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation. The endpoint remains reachable to unauthenticated attackers via the route-group auth gap separately tracked in free5gc/free5gc#844.

Affected: free5gc v4.2.1 (originally reported against v4.1.0; same defect present).

Upstream issue: https://github.com/free5gc/free5gc/issues/803 Upstream fix: https://github.com/free5gc/pcf/pull/62

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/free5gc/pcf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44316"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476",
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T22:39:43Z",
    "nvd_published_at": "2026-05-27T17:16:36Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nfree5GC\u0027s PCF `POST /npcf-smpolicycontrol/v1/sm-policies` handler (`HandleCreateSmPolicyRequest`) panics with a nil-pointer dereference when a downstream OpenAPI consumer call (UDR lookup) returns `404 Not Found` and the consumer wrapper returns `err != nil` together with a nil response struct. The handler logs the OpenAPI error and continues executing instead of returning, then dereferences the nil response struct on a subsequent line and panics. Gin recovery converts the panic into `HTTP 500`, so a single attacker-shaped POST returns 500 instead of a clean 4xx whenever the downstream lookup fails. The PCF process keeps running.\n\nThe trigger is a single POST containing input that causes the downstream UDR lookup to fail (e.g. an unknown DNN). In v4.2.1 this endpoint is also reachable WITHOUT an `Authorization` header because the PCF `Npcf_SMPolicyControl` route group is mounted without inbound auth middleware (see free5gc/free5gc#844). So in the validation lab the trigger is fully unauthenticated.\n\n### Details\nValidated against the PCF container in the official Docker compose lab.\n- free5GC version: `v4.1.0` (originally reported on v4.1.0; same defect present in v4.2.1)\n- PCF endpoint: `http://10.100.200.9:8000`\n\nVulnerable handler path (paraphrased from the captured stack trace):\n```\n[INFO][PCF][SMpolicy] Handle CreateSmPolicy\n[ERRO][PCF][Consumer] openapi error: 404, Not Found\n[ERRO][PCF][GIN] panic: runtime error: invalid memory address or nil pointer dereference\n  github.com/free5gc/pcf/internal/sbi/processor.(*Processor).HandleCreateSmPolicyRequest\n      /go/src/free5gc/NFs/pcf/internal/sbi/processor/smpolicy.go:82 +0x562\n  github.com/free5gc/pcf/internal/sbi.(*Server).HTTPCreateSMPolicy\n      /go/src/free5gc/NFs/pcf/internal/sbi/api_smpolicy.go:86 +0x405\n```\n\nThe handler\u0027s UDR-failure branch logs the OpenAPI error but does not return; the next line dereferences the nil response struct.\n\nCode evidence (paths in `free5gc/pcf`):\n- Panic site:\n  - `NFs/pcf/internal/sbi/processor/smpolicy.go:82`\n- Route dispatch:\n  - `NFs/pcf/internal/sbi/api_smpolicy.go:86`\n\n### PoC\nReproduced end-to-end against the running PCF at `http://10.100.200.9:8000`.\n\nSend a single POST whose `dnn` is unknown to UDR -- this drives the downstream OpenAPI call to return `404 Not Found`, which then triggers the nil-deref panic:\n```\ncurl -sS -X POST \u0027http://10.100.200.9:8000/npcf-smpolicycontrol/v1/sm-policies\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\n    \"supi\":\"imsi-208930000000003\",\n    \"pduSessionId\":1,\n    \"dnn\":\"internet-bad\",\n    \"sliceInfo\":{\"sst\":1,\"sd\":\"010203\"},\n    \"servingNetwork\":{\"mcc\":\"208\",\"mnc\":\"93\"},\n    \"accessType\":\"3GPP_ACCESS\",\n    \"notificationUri\":\"http://smf.free5gc.org:8000/npcf-smpolicycontrol/v1/notify\"\n  }\u0027\n```\n\nObserved response: `HTTP 500 Internal Server Error` with empty body.\n\nPCF container logs show:\n```\n[INFO][PCF][SMpolicy] Handle CreateSmPolicy\n[ERRO][PCF][Consumer] openapi error: 404, Not Found\n[ERRO][PCF][GIN] panic: runtime error: invalid memory address or nil pointer dereference\n  ...HandleCreateSmPolicyRequest at smpolicy.go:82...\n```\n\nThe Gin recovery middleware catches the panic (the captured stack trace runs inside `ginRecover.func2.1`), so the PCF process keeps serving other requests; the realized impact is per-request `HTTP 500` on this endpoint whenever the downstream lookup fails.\n\n### Impact\nNULL pointer dereference (CWE-476) caused by improper handling of an exceptional branch (CWE-754): the UDR-failure branch logs the OpenAPI error but does not return, then dereferences the nil response struct. The intended behavior is to return a controlled `4xx`/`5xx` `ProblemDetails` and stop processing.\n\nGin recovery catches the panic, so the PCF process is NOT killed and other endpoints continue serving. The realized impact is per-request: any unauthenticated POST that drives the downstream UDR lookup to a `404` returns `HTTP 500` (with empty body and a stack trace in PCF logs) instead of a controlled error response.\n\nNo Confidentiality impact (the response is `500` with empty body). No persistent Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation. The endpoint remains reachable to unauthenticated attackers via the route-group auth gap separately tracked in free5gc/free5gc#844.\n\nAffected: free5gc v4.2.1 (originally reported against v4.1.0; same defect present).\n\nUpstream issue: https://github.com/free5gc/free5gc/issues/803\nUpstream fix: https://github.com/free5gc/pcf/pull/62",
  "id": "GHSA-wr8j-6chw-gm6p",
  "modified": "2026-06-08T23:47:04Z",
  "published": "2026-05-08T22:39:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-wr8j-6chw-gm6p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44316"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/issues/803"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/pcf/pull/62"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/pcf/commit/df535f5524314620715e842baf9723efbeb481a7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/free5gc/free5gc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "free5GC\u0027s PCF npcf-smpolicycontrol POST /sm-policies panics on downstream UDR/OpenAPI 404 via nil pointer dereference"
}

Mitigation MIT-3
Requirements

Strategy: Language Selection

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248).
Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is expected.

Mitigation
Implementation

If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248).

Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
  • Exposing additional information to a potential attacker in the context of an exceptional condition can help the attacker determine what attack vectors are most likely to succeed beyond DoS.
Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-38
Architecture and Design Implementation

If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.

Mitigation
Architecture and Design

Use system limits, which should help to prevent resource exhaustion. However, the product should still handle low resource conditions since they may still occur.

No CAPEC attack patterns related to this CWE.