CVE-2026-27642

Name of the Vulnerable Software and Affected Versions free5gc UDM versions up to and including 1.4.1

Description free5gc UDM provides Unified Data Management for free5GC, an open-source 5G mobile core network project. Remote attackers can inject control characters, such as %00, into the supi parameter. This injection triggers internal URL parsing errors (net/url: invalid control character), potentially exposing system-level error details and enabling service fingerprinting. All deployments of free5GC utilizing the UDM Nudm UEAU service may be affected.

Recommendations Versions up to and including 1.4.1: Apply the official patch from free5gc/udm pull request 75.