Unauthenticated Remote Code Execution in free5GC's SMF Component
CVE-2026-44328

8.2HIGH

Key Information:

Vendor

Free5gc

Status
Free5gc
Vendor
CVE Published:
27 May 2026

What is CVE-2026-44328?

The free5GC project, an open-source 5G core network implementation, contains a vulnerability in its SMF component where, prior to version 4.2.2, the UPI management route group is mounted without the necessary inbound OAuth2 middleware. This leads to a critical flaw where the DELETE /upi/v1/upNodesLinks/{upNodeRef} request can cause a nil-pointer panic, resulting in a denial of service. An attacker can leverage this vulnerability, even without authentication, to manipulate the in-memory user-plane topology and crash the handler by sending a specially crafted request targeting any Access Node entry. This vulnerability has been rectified in version 4.2.2, and users are advised to upgrade to ensure their systems remain secure.

Affected Version(s)

free5gc < 4.2.2

References

https://github.com/free5gc/free5gc/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/free5gc/free5gc/issues/905
x_refsource_MISC
https://github.com/free5gc/smf/pull/199
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.