CVE-2026-44328

Name of the Vulnerable Software and Affected Versions free5GC SMF version 4.2.1

Description The SMF mounts the UPI management route group without inbound OAuth2 middleware, allowing unauthenticated access. A flaw in the DeleteUpNodeLink function causes a nil-pointer dereference when processing requests for Access Network (AN) typed nodes, as these nodes are constructed without a UPF object. Specifically, the handler calls upNode.UPF.CancelAssociation() unconditionally, leading to a panic. Furthermore, the UpNodeDelete(upNodeRef) function is executed before the panic occurs, resulting in the mutation of the in-memory user-plane topology. An off-path network attacker can exploit this by sending a DELETE request to the endpoint "/upi/v1/upNodesLinks/{upNodeRef}" using the upNodeRef variable, which can delete arbitrary named entries and deny the SMF's ability to use those nodes for legitimate sessions.

Recommendations Update free5GC SMF to a version that incorporates the fix from pull request 199. As a temporary workaround, restrict network access to the SMF SBI interface to authorized sources only to prevent unauthenticated access to the "/upi/v1/upNodesLinks/" endpoint.