CVE-2026-44321

Name of the Vulnerable Software and Affected Versions free5GC versions prior to 4.2.2

Description The Session Management Function (SMF) in free5GC mounts the UPI management route group without inbound OAuth2 middleware, allowing unauthenticated access. The POST endpoint '/upi/v1/upNodesLinks' accepts attacker-controlled JSON and passes it to the UpNodesFromConfiguration() function. This function calls logger.InitLog.Fatalf() upon several validation failures, such as the UE-IP-pool overlap check, invalid-pool, or static-pool-exclusion failures. Because Fatalf is equivalent to os.Exit(1), it terminates the entire SMF process rather than just the request goroutine, leading to a complete loss of SMF service, including PDU-session establishment and UE policy lookups, until the process is restarted.

Recommendations Update to version 4.2.2. As a temporary workaround, restrict network access to the SMF Service Based Interface (SBI) to prevent unauthenticated requests from reaching the '/upi/v1/upNodesLinks' endpoint.