CVE-2026-44317
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
27/05/2026
Last modified:
28/05/2026
Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's PCF POST /npcf-policyauthorization/v1/app-sessions handler panics on a single authenticated request whose ascReqData.suppFeat == "1" (enabling traffic-routing feature negotiation) and whose medComponents entries supply an afAppId but NO AfRoutReq. The create path then calls provisioningOfTrafficRoutingInfo(smPolicy, appID, routeReq, ...) with routeReq == nil and dereferences routeReq.RouteToLocs (and other fields) without a nil check, causing runtime error: invalid memory address or nil pointer dereference. Gin recovery converts the panic into HTTP 500. This vulnerability is fixed in 4.2.2.
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:* | 4.2.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/free5gc/free5gc/issues/879
- https://github.com/free5gc/free5gc/security/advisories/GHSA-wwqh-7jm5-gj7w
- https://github.com/free5gc/pcf/commit/508d70b8527a6c8c923179dad450ea01e16b6aeb
- https://github.com/free5gc/pcf/pull/65
- https://github.com/free5gc/free5gc/security/advisories/GHSA-wwqh-7jm5-gj7w