Null Byte Injection Vulnerability in Free5GC UDM API
CVE-2026-33191

8.7HIGH

Key Information:

Vendor: Free5gc
Status: Free5gc
Vendor: CVE Published:; 20 March 2026

What is CVE-2026-33191?

Free5GC, an open-source project by the Linux Foundation for 5G core networks, is susceptible to a null byte injection vulnerability affecting its UDM's Nudm_SubscriberDataManagement API. Attackers can exploit this vulnerability by injecting URL-encoded null bytes (%00) into the 'supi' path parameter. This results in a failure during URL parsing within the Go programming language’s net/url package, leading to a 500 Internal Server Error. Such exploitation can enable remote denial of service attacks, as improperly formatted URLs cause the UDM to malfunction instead of returning the appropriate error code of 400 Bad Request. The issue has been addressed in version 1.4.2.

Affected Version(s)

free5gc < 1.4.2

References

https://github.com/free5gc/free5gc/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/free5gc/udm/commit/88de9fa74a1b3f3522e...

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33191 Data

JSON

Free5gc

What is CVE-2026-33191?

Affected Version(s)

References

CVSS V4

Timeline