CVE-2026-44324

Name of the Vulnerable Software and Affected Versions free5GC versions prior to 4.2.2

Description The UDR nudr-dr handler in free5GC contains an issue where a single authenticated request can cause a panic. This occurs when a request is made to the endpoint "DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions" and the provided ueId does not exist in the UESubsCollection. The system identifies the missing user and sets a 404 USER NOT FOUND error, but fails to stop execution. It subsequently attempts a Go type assertion on a nil interface using the RemoveAmfSubscriptionsInfoProcedure() function, leading to an interface conversion panic. While the Gin recovery mechanism converts this panic into an HTTP 500 error, the endpoint remains susceptible to repeated panics, which can be used to sustain a per-request denial-of-service (DoS) by increasing CPU and log write overhead.

Recommendations Update to version 4.2.2. As a temporary workaround, restrict access to the "DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions" endpoint to minimize the risk of exploitation.