CVE-2026-44317

Name of the Vulnerable Software and Affected Versions free5GC versions prior to 4.2.2

Description The PCF handler for the endpoint "/npcf-policyauthorization/v1/app-sessions" contains a flaw that causes a runtime panic when processing a specific authenticated request. This occurs when the ascReqData.suppFeat variable is set to "1" (which enables traffic-routing feature negotiation) and the medComponents entries provide an afAppId but omit the AfRoutReq. In this scenario, the system calls the provisioningOfTrafficRoutingInfo() function with a null routeReq variable and attempts to dereference its fields, such as RouteToLocs, without a prior nil check. This results in an invalid memory address or nil pointer dereference. While the Gin recovery mechanism prevents the entire PCF process from crashing by converting the panic into an HTTP 500 error, an authenticated user can repeatedly trigger this path to cause a per-request denial-of-service (DoS) on the app-session creation process.

Recommendations Update to version 4.2.2. As a temporary workaround, avoid setting the ascReqData.suppFeat variable to "1" when AfRoutReq is absent in requests to the "/npcf-policyauthorization/v1/app-sessions" endpoint.