CVE-2026-33064

Name of the Vulnerable Software and Affected Versions Free5GC versions prior to 1.4.2

Description Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are susceptible to a procedure panic caused by a Nil Pointer Dereference in the /sdm-subscriptions API endpoint. A remote attacker can cause the UDM service to panic and crash by sending a crafted POST request to the /sdm-subscriptions endpoint with a malformed URL path containing path traversal sequences (../) and a large JSON payload. The DataChangeNotificationProcedure function in notifier.go attempts to access a nil pointer without proper validation, resulting in a complete service crash. Exploitation leads to disruption of UDM functionality until recovery via restart.

Recommendations Upgrade to Free5GC version 1.4.2 or later.