CVE-2026-44323

Name of the Vulnerable Software and Affected Versions free5GC versions prior to 4.2.2

Description The UDR nudr-dr handler for the endpoint "DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions" contains a nil-pointer dereference. This occurs when a request is made with a nonexistent subsId after a preparatory authenticated EE-subscription has been created to allocate UE state. The handler identifies the missing entry and sets a 404 error but fails to return, subsequently attempting to access UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos. This results in a runtime panic that is converted into an HTTP 500 error by the Gin recovery mechanism. An authenticated attacker with a valid nudr-dr OAuth2 access token can repeatedly trigger this panic, leading to a denial-of-service (DoS) through resource degradation.

Recommendations Update to version 4.2.2.