CVE-2026-40249

Name of the Vulnerable Software and Affected Versions free5GC versions 4.2.1 and earlier

Description A fail-open request handling flaw exists in the UDR service. The PUT handler for the endpoint '/nudr-dr/v2/policy-data/subs-to-notify/{subsId}' does not terminate execution after request body retrieval or deserialization errors. Specifically, the function HandlePolicyDataSubsToNotifySubsIdPut() continues to invoke the processor with a potentially uninitialized or partially initialized PolicyDataSubscription object even after sending HTTP 500 or 400 error responses. This behavior may allow unintended modification of existing Policy Data notification subscriptions using invalid or empty input, depending on the downstream processor and storage behavior.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.