PT-2026-38370 · Free5Gc+1 · Free5Gc+1
Giancannella
·
Published
2026-05-07
·
Updated
2026-05-27
·
CVE-2026-42459
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
free5GC versions prior to 4.2.2
Description
The UDM component fails to validate the
supi path parameter in six GET handlers of the nudm-sdm (Subscriber Data Management) service. An unauthenticated attacker can inject control characters into the supi parameter, causing the UDM to forward a malformed request to the UDR. This results in a 500 Internal Server Error response that exposes internal infrastructure details, including the internal UDR hostname, port, API path structure, and service naming conventions.The affected API endpoints are:
- '/:supi/smf-select-data' (handled by
HandleGetSmfSelectData()) - '/:supi' (handled by
HandleGetSupi()) - '/:supi/trace-data' (handled by
HandleGetTraceData()) - '/:supi/ue-context-in-smf-data' (handled by
HandleGetUeContextInSmfData()) - '/:supi/nssai' (handled by
HandleGetNssai()) - '/:supi/sm-data' (handled by
HandleGetSmData())
Recommendations
Update to version 4.2.2.
As a temporary workaround, restrict access to the
nudm-sdm service endpoints to trusted networks to minimize the risk of internal infrastructure exposure.Exploit
Fix
RCE
Generation of Error Message Containing Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Free5Gc
Github.Com/Free5Gc/Udm