CVE-2026-44316

Name of the Vulnerable Software and Affected Versions free5GC versions 4.1.0 through 4.2.1

Description A nil-pointer dereference occurs in the PCF HandleCreateSmPolicyRequest function when a downstream OpenAPI consumer call to the UDR lookup returns a 404 Not Found error. The handler logs the error but continues execution instead of returning, subsequently dereferencing a nil response struct. This results in an HTTP 500 Internal Server Error. The issue can be triggered via a POST request to the '/npcf-smpolicycontrol/v1/sm-policies' endpoint, specifically when providing input that causes the UDR lookup to fail, such as an unknown dnn variable. In version 4.2.1, this endpoint is accessible without an Authorization header.

Recommendations Update free5GC to a version that incorporates the fix from pull request 62 in the PCF repository. As a temporary workaround, restrict access to the '/npcf-smpolicycontrol/v1/sm-policies' endpoint to authorized users only to minimize the risk of unauthenticated exploitation.