CVE-2026-40343

Name of the Vulnerable Software and Affected Versions free5GC UDR versions prior to 1.4.3

Description A fail-open request handling flaw exists in the UDR service. The POST handler for the endpoint '/nudr-dr/v2/policy-data/subs-to-notify' continues to process requests even after encountering errors during request body retrieval or deserialization. Specifically, the function HandlePolicyDataSubsToNotifyPost fails to terminate execution after sending error responses, allowing the process to invoke the PolicyDataSubsToNotifyPostProcedure() routine with uninitialized, empty, or partially processed input. This may lead to the unintended creation of Policy Data notification subscriptions.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the '/nudr-dr/v2/policy-data/subs-to-notify' endpoint to minimize the risk of exploitation.