Memory Leak Vulnerability in free5GC's UDR Affecting Policy Control Function
CVE-2026-41135

7.5HIGH

Key Information:

Vendor: Free5gc
Status: Pcf
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-41135?

The free5GC UDR, part of an open-source project for 5G mobile core networks, is susceptible to a memory leak vulnerability. This issue affects versions prior to 1.4.3, allowing unauthenticated attackers with network access to exploit the Policy Control Function (PCF) by repeatedly sending HTTP requests to the Operations and Management (OAM) endpoint. The vulnerability arises from an improper use of router.Use(), which registers a new CORS middleware for each incoming request, leading to an unchecked growth in the Gin router's handler chain. Consequently, this can cause progressive memory exhaustion and lead to a Denial of Service, obstructing all User Equipment (UEs) from accessing AM and SM policies and hindering 5G session establishment. Version 1.4.3 provides a fix for this vulnerability.

Affected Version(s)

pcf < 1.4.3

References

https://github.com/free5gc/free5gc/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/free5gc/pcf/commit/599803b1b2eb4611e26...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 17, 2026

CVE-2026-41135 Data

JSON

Free5gc

What is CVE-2026-41135?

Affected Version(s)

References

CVSS V3.1

Timeline