Free5gc 4.2.2: 20 CVEs Land in Single Disclosure — Missing Auth, Panics, and Protocol Flaws
Twenty vulnerabilities hit the open-source 5G core network Free5gc on May 27, 2026, including four critical missing-authentication bugs (CVSS 10.0) and a cluster of denial-of-service panics across NEF, SMF, PCF, UDR, and AMF.
Key findings
- Four CVEs scored CVSS 10.0 — all missing OAuth2 authorization middleware on NEF and SMF route groups
- Six nil-pointer panic bugs across NEF, SMF, PCF, and UDR can crash individual network functions
- CVE-2026-44319 in NEF terminates the entire process on a failed PFD notification delivery
- CVE-2026-42081 allows a malicious gNB to overwrite AMF-stored UE security capabilities
- CVE-2026-42459 in UDM lets unauthenticated attackers inject control characters into SUPI parameters
- All 20 CVEs fixed in Free5gc version 4.2.2 — no partial mitigations announced
Twenty security vulnerabilities were disclosed together on May 27, 2026, affecting Free5gc, the open-source 5G core network implementation. The batch — fixed in version 4.2.2 — spans missing OAuth2 authorization middleware, nil-pointer panics, race conditions, type-confusion bugs, and protocol-level enforcement gaps across nearly every major network function (NEF, SMF, PCF, UDR, UDM, BSF, NRF, and AMF). Four of the CVEs carry a CVSS score of 10.0 (Critical), making this one of the most severe single-disclosure events in the project's history.
Missing OAuth2 authorization — the critical cluster
Four CVEs share a root cause: route groups mounted without inbound OAuth2/bearer-token authorization middleware. CVE-2026-44330 (CVSS 10.0) affects the NEF nnef-pfdmanagement route group — a network attacker who can reach NEF on the SBI can use a forged or arbitrary bearer token to hit PFD-management endpoints. CVE-2026-44327 (CVSS 10.0) targets the same NEF component's nnef-oam route group, where requests with no Authorization header at all return 200 OK. CVE-2026-44329 (CVSS 10.0) hits SMF's UPI management route group, which similarly lacks OAuth2 middleware. CVE-2026-44326 (CVSS 9.4) covers NEF's 3gpp-traffic-influence API, allowing an attacker to create, read, patch, and delete traffic-influence subscriptions without valid authorization.
Two additional missing-auth bugs scored slightly lower but are equally dangerous in context. CVE-2026-44315 (CVSS 9.4) exposes NEF's 3gpp-pfd-management API to unauthenticated create/read/delete of PFD-management transaction state. CVE-2026-44320 (CVSS 7.3) covers NEF's nnef-callback route group, where a forged bearer token is enough to reach SMF-callback handlers. CVE-2026-42083 (CVSS 8.2) rounds out this category: PCF's Npcf_SMPolicyControl route group lacks authentication middleware entirely, allowing unauthenticated access to SM policy handlers and disclosure of subscriber SUPI.
Nil-pointer panics and process termination
A second thematic cluster involves nil-pointer dereferences and panic conditions that crash individual network functions. CVE-2026-44328 (CVSS 8.2) in SMF's UPI handler unconditionally dereferences upNode.UPF after a type-guarded async release, causing a panic. CVE-2026-44321 (CVSS 7.5) in the same SMF UPI route group passes attacker-controlled JSON directly into UpNodesFromConfiguration(), which can trigger a nil-pointer panic.
In NEF, CVE-2026-44322 (CVSS 7.5) causes a panic when a PATCH to PFD-management applications receives a nil response from an upstream UDR call. CVE-2026-44319 (CVSS 7.5) goes further — a failed PFD-subscription notifyUri delivery triggers logger.Panicf(), terminating the entire NEF process.
In PCF, CVE-2026-44317 (CVSS 6.5) panics on a single authenticated request to the policy-authorization app-sessions handler when suppFeat == "1" and medComponents supply an afAppId that triggers a nil dereference. CVE-2026-44316 (CVSS 7.5) panics in the SM policy control handler when a UDR lookup returns 404 and the consumer wrapper returns a nil response.
In UDR, CVE-2026-44324 (CVSS 6.5) and CVE-2026-44323 (CVSS 4.3) both target the same DELETE handler for EE-subscription AMF subscriptions — the former panics on a fresh UDR instance when the supplied ueId does not exist, and the latter triggers a nil-pointer dereference after one preparatory authenticated request.
Type confusion, race conditions, and protocol gaps
CVE-2026-44325 (CVSS 7.5) in NRF's root SBI endpoint POST /oauth2/token contains a parser-level type-confusion bug family. The handler reflects over models.NrfAccessTokenAccessTokenReq and special-cases only plain string fields, leaving other types in an inconsistent state.
CVE-2026-44318 (CVSS 6.5) in BSF's subscription update handler has an unsynchronized write on the global Subscriptions map — the handler reads under RLock() but writes without upgrading the lock, creating a data race.
Two AMF protocol-enforcement bugs complete the batch. CVE-2026-42082 (CVSS 3.7) documents that AMF does not enforce the concurrent security procedure rules from 3GPP TS 33.501 §6.9.5.1 — it does not check for ongoing N2 handover procedures before initiating a NAS Security Mode Command, and vice versa. CVE-2026-42081 (CVSS 6.1) describes a missing verification of UE Security Capabilities received in NGAP PathSwitchRequest messages against locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1 — a malicious gNB can overwrite the AMF's stored UE security capabilities.
Finally, CVE-2026-42459 (CVSS 7.5) in UDM's nudm-sdm service fails to validate the supi path parameter in six GET handlers, allowing an unauthenticated attacker to inject control characters into the SUPI parameter.
Patch and response
All 20 CVEs are addressed in Free5gc version 4.2.2. Users running any earlier version — particularly deployments that expose SBI interfaces to untrusted networks — should upgrade immediately. The missing-OAuth2 bugs are especially urgent: they allow unauthenticated or trivially-forged-token access to core network function APIs. Organizations operating Free5gc in testbeds, research labs, or production-adjacent environments should treat this batch as a single coordinated upgrade event.
Why this matters
Free5gc is the most widely used open-source 5G core in academic research, prototyping, and early-stage deployments. A single disclosure of 20 CVEs — four of them CVSS 10.0 — signals that the project's authentication middleware layer and error-handling paths need systematic hardening. The missing-OAuth2 bugs alone could allow an attacker on the SBI network to provision traffic-influence rules, read subscriber data, or crash NFs. For teams evaluating or deploying Free5gc, version 4.2.2 is now the minimum viable baseline.