High severity7.5GHSA Advisory· Published May 27, 2026· Updated May 28, 2026
CVE-2026-42459
CVE-2026-42459
Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm (Subscriber Data Management) service. An unauthenticated attacker can inject control characters into the SUPI parameter, causing UDM to forward a malformed request to UDR and return a 500 Internal Server Error response that exposes internal infrastructure details. This vulnerability is fixed in 4.2.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/free5gc/udmGo | <= 1.4.3 | — |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/free5gc/free5gc/security/advisories/GHSA-585v-hcgf-jhfrnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-585v-hcgf-jhfrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42459ghsaADVISORY
- github.com/free5gc/free5gc/security/advisories/GHSA-h4wg-rp7m-8xx4ghsaWEB
- github.com/free5gc/udm/blob/v1.4.3/internal/sbi/api_subscriberdatamanagement.goghsaWEB
News mentions
1- Free5gc 4.2.2: 20 CVEs Land in Single Disclosure — Missing Auth, Panics, and Protocol FlawsVypr Intelligence · May 27, 2026