Free5gc 4.2.2 Patches 20 CVEs Including Four Critical Missing-Auth Bugs

Twenty security vulnerabilities were disclosed together on May 27, 2026, affecting Free5gc, the open-source 5G core network implementation. The batch — fixed in version 4.2.2 — spans missing OAuth2 authorization middleware, nil-pointer panics, race conditions, type-confusion bugs, and protocol-level enforcement gaps across nearly every major network function (NEF, SMF, PCF, UDR, UDM, BSF, NRF, and AMF). Four of the CVEs carry a CVSS score of 10.0 (Critical), making this one of the most severe single-disclosure events in the project's history.

Four CVEs share a root cause: route groups mounted without inbound OAuth2/bearer-token authorization middleware. CVE-2026-44330 (CVSS 10.0) affects the NEF nnef-pfdmanagement route group — a network attacker who can reach NEF on the SBI can use a forged or arbitrary bearer token to hit PFD-management endpoints. CVE-2026-44327 (CVSS 10.0) targets the same NEF component's nnef-oam route group, where requests with no Authorization header at all return 200 OK. CVE-2026-44329 (CVSS 10.0) hits SMF's UPI management route group, which similarly lacks OAuth2 middleware. CVE-2026-44326 (CVSS 9.4) covers NEF's 3gpp-traffic-influence API, allowing an attacker to create, read, patch, and delete traffic-influence subscriptions without valid authorization.

A second thematic cluster involves nil-pointer dereferences and panic conditions that crash individual network functions. CVE-2026-44328 (CVSS 8.2) in SMF's UPI handler unconditionally dereferences upNode.UPF after a type-guarded async release, causing a panic. CVE-2026-44321 (CVSS 7.5) in the same SMF UPI route group passes attacker-controlled JSON directly into UpNodesFromConfiguration(), which can trigger a nil-pointer panic. In NEF, CVE-2026-44322 (CVSS 7.5) causes a panic when a PATCH to PFD-management applications receives a nil response from an upstream UDR call. CVE-2026-44319 (CVSS 7.5) goes further — a failed PFD-subscription notifyUri delivery triggers logger.Panicf(), terminating the entire NEF process.

Two AMF protocol-enforcement bugs complete the batch. CVE-2026-42082 (CVSS 3.7) documents that AMF does not enforce the concurrent security procedure rules from 3GPP TS 33.501 §6.9.5.1 — it does not check for ongoing N2 handover procedures before initiating a NAS Security Mode Command, and vice versa. CVE-2026-42081 (CVSS 6.1) describes a missing verification of UE Security Capabilities received in NGAP PathSwitchRequest messages against locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1 — a malicious gNB can overwrite the AMF's stored UE security capabilities. Finally, CVE-2026-42459 (CVSS 7.5) in UDM's nudm-sdm service fails to validate the supi path parameter in six GET handlers, allowing an unauthenticated attacker to inject control characters into the SUPI parameter.

All 20 CVEs are addressed in Free5gc version 4.2.2. Users running any earlier version — particularly deployments that expose SBI interfaces to untrusted networks — should upgrade immediately. The missing-OAuth2 bugs are especially urgent: they allow unauthenticated or trivially-forged-token access to core network function APIs. Organizations operating Free5gc in testbeds, research labs, or production-adjacent environments should treat this batch as a single coordinated upgrade event.

Free5gc is the most widely used open-source 5G core in academic research, prototyping, and early-stage deployments. The disclosure underscores the complexity of implementing 5G security standards correctly across a large codebase. While the project's maintainers have responded quickly with a comprehensive patch, the sheer number of critical and high-severity flaws raises questions about the maturity of security testing in open-source telecom software. As 5G networks increasingly rely on open-source components, coordinated disclosure and rapid patching will be essential to prevent real-world exploitation.