Open-Source 5G Core Network Implementation Vulnerability in free5GC
CVE-2026-44317

6.5MEDIUM

Key Information:

Vendor

Free5gc

Status
Free5gc
Vendor
CVE Published:
27 May 2026

What is CVE-2026-44317?

In versions prior to 4.2.2 of free5GC, the PCF component's ability to handle specific authenticated requests improperly results in runtime errors. When a request is made with the 'ascReqData.suppFeat' set to '1', and the 'medComponents' contain an 'afAppId' but lack an 'AfRoutReq', the system fails to check for nil before dereferencing. This oversight leads to a panic and an HTTP 500 response due to an invalid memory address error, making it crucial for users to update to version 4.2.2 or later to mitigate this risk.

Affected Version(s)

free5gc < 4.2.2

References

https://github.com/free5gc/free5gc/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/free5gc/free5gc/issues/879
x_refsource_MISC
https://github.com/free5gc/pcf/pull/65
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.