Input Validation Flaw in free5GC's SMF Component
CVE-2026-44321

7.5HIGH

Key Information:

Vendor

Free5gc

Status
Free5gc
Vendor
CVE Published:
27 May 2026

What is CVE-2026-44321?

An input validation flaw in the Session Management Function (SMF) of free5GC, an open-source implementation of the 5G core network, can be exploited by sending attacker-controlled JSON data. Prior to the release of version 4.2.2, the SMF component did not utilize inbound OAuth2 middleware for the UPI management route group. This security issue could result in the termination of the entire SMF process when an unauthenticated POST request results in new UPF pool overlaps, thus compromising the stability of the 5G network. The vulnerability was resolved in version 4.2.2.

Affected Version(s)

free5gc < 4.2.2

References

https://github.com/free5gc/free5gc/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/free5gc/free5gc/issues/906
x_refsource_MISC
https://github.com/free5gc/smf/pull/203
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.