CWE-754
Allowed-with-ReviewImproper Check for Unusual or Exceptional Conditions
Abstraction: Class · Status: Incomplete
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
905 vulnerabilities reference this CWE, most recent first.
GHSA-JH8R-93CX-CRMC
Vulnerability from github – Published: 2022-05-14 01:02 – Updated: 2025-04-20 03:49The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic.
{
"affected": [],
"aliases": [
"CVE-2017-1000407"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-11T21:29:00Z",
"severity": "HIGH"
},
"details": "The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic.",
"id": "GHSA-jh8r-93cx-crmc",
"modified": "2025-04-20T03:49:47Z",
"published": "2022-05-14T01:02:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000407"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0676"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1062"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1170"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2017-1000407"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00004.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3583-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3583-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3617-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3617-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3619-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3619-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3632-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-4073"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4082"
},
{
"type": "WEB",
"url": "https://www.spinics.net/lists/kvm/msg159809.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2017/12/04/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102038"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JMWV-XWW6-6HCV
Vulnerability from github – Published: 2023-07-13 00:30 – Updated: 2024-04-04 06:05In ShortcutInfo of ShortcutInfo.java, there is a possible way for an app to retain notification listening access due to an uncaught exception. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2023-21246"
],
"database_specific": {
"cwe_ids": [
"CWE-273",
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-13T00:15:23Z",
"severity": "LOW"
},
"details": "In ShortcutInfo of ShortcutInfo.java, there is a possible way for an app to retain notification listening access due to an uncaught exception. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n",
"id": "GHSA-jmwv-xww6-6hcv",
"modified": "2024-04-04T06:05:20Z",
"published": "2023-07-13T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21246"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/fc1b9998ca8a9fceba47d67fd9ea9b45705b53e0"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2023-07-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JMX8-355M-8VWH
Vulnerability from github – Published: 2021-04-19 14:53 – Updated: 2021-04-16 23:18Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.
- https://vaadin.com/security/cve-2018-25007
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.5"
},
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:flow-server"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-25007"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-16T23:18:28Z",
"nvd_published_at": "2021-04-23T16:15:00Z",
"severity": "LOW"
},
"details": "Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.\n\n- https://vaadin.com/security/cve-2018-25007",
"id": "GHSA-jmx8-355m-8vwh",
"modified": "2021-04-16T23:18:28Z",
"published": "2021-04-19T14:53:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vaadin/flow/security/advisories/GHSA-jmx8-355m-8vwh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25007"
},
{
"type": "WEB",
"url": "https://github.com/vaadin/flow/pull/4774"
},
{
"type": "WEB",
"url": "https://vaadin.com/security/cve-2018-25007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11"
}
GHSA-JP8P-MV2J-QXC2
Vulnerability from github – Published: 2023-04-19 09:30 – Updated: 2024-04-04 03:35A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause denial of service of the controller when a malicious project file is loaded onto the controller by an authenticated user.
{
"affected": [],
"aliases": [
"CVE-2023-25620"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-19T09:15:07Z",
"severity": "MODERATE"
},
"details": "\n\n\nA CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that\ncould cause denial of service of the controller when a malicious project file is loaded onto the\ncontroller by an authenticated user. \n\n \n\n",
"id": "GHSA-jp8p-mv2j-qxc2",
"modified": "2024-04-04T03:35:01Z",
"published": "2023-04-19T09:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25620"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-101-05\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-101-05.pdf"
},
{
"type": "WEB",
"url": "https://https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-101-05\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-101-05.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQ9H-7VHV-WHC7
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08A vulnerability in the handling of exceptional conditions in Juniper Networks Junos OS Evolved (EVO) allows an attacker to send specially crafted packets to the device, causing the Advanced Forwarding Toolkit manager (evo-aftmand-bt or evo-aftmand-zx) process to crash and restart, impacting all traffic going through the FPC, resulting in a Denial of Service (DoS). Continued receipt and processing of these packets will create a sustained Denial of Service (DoS) condition. Following messages will be logged prior to the crash: Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:32710470974358 label:1089551617 for session:18 probe:35 Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:19241453497049 label:1089551617 for session:18 probe:37 Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:19241453497049 label:1089551617 for session:18 probe:44 Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:32710470974358 label:1089551617 for session:18 probe:47 Feb 2 10:14:39 fpc0 audit[16263]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 pid=16263 comm="EvoAftManBt-mai" exe="/usr/sbin/evo-aftmand-bt" sig=11 Feb 2 10:14:39 fpc0 kernel: audit: type=1701 audit(1612260879.272:17): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=16263 comm="EvoAftManBt-mai" exe="/usr/sbin/evo-aftmand-bt" sig=1 This issue affects Juniper Networks Junos OS Evolved: All versions prior to 20.4R2-EVO; 21.1 versions prior to 21.1R2-EVO.
{
"affected": [],
"aliases": [
"CVE-2021-0286"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-15T20:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the handling of exceptional conditions in Juniper Networks Junos OS Evolved (EVO) allows an attacker to send specially crafted packets to the device, causing the Advanced Forwarding Toolkit manager (evo-aftmand-bt or evo-aftmand-zx) process to crash and restart, impacting all traffic going through the FPC, resulting in a Denial of Service (DoS). Continued receipt and processing of these packets will create a sustained Denial of Service (DoS) condition. Following messages will be logged prior to the crash: Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:32710470974358 label:1089551617 for session:18 probe:35 Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:19241453497049 label:1089551617 for session:18 probe:37 Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:19241453497049 label:1089551617 for session:18 probe:44 Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:32710470974358 label:1089551617 for session:18 probe:47 Feb 2 10:14:39 fpc0 audit[16263]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 pid=16263 comm=\"EvoAftManBt-mai\" exe=\"/usr/sbin/evo-aftmand-bt\" sig=11 Feb 2 10:14:39 fpc0 kernel: audit: type=1701 audit(1612260879.272:17): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=16263 comm=\"EvoAftManBt-mai\" exe=\"/usr/sbin/evo-aftmand-bt\" sig=1 This issue affects Juniper Networks Junos OS Evolved: All versions prior to 20.4R2-EVO; 21.1 versions prior to 21.1R2-EVO.",
"id": "GHSA-jq9h-7vhv-whc7",
"modified": "2022-05-24T19:08:07Z",
"published": "2022-05-24T19:08:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0286"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA11188"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JQFC-GWJ5-3W63
Vulnerability from github – Published: 2026-05-08 22:52 – Updated: 2026-06-08 23:48Summary
free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler panics on a single authenticated request against a fresh UDR instance when the supplied ueId does not exist in UESubsCollection. The processor checks value, ok := udrSelf.UESubsCollection.Load(ueId) and sets a 404 USER_NOT_FOUND problem-details on the miss path, but execution continues and immediately runs value.(*udr_context.UESubsData) -- a Go type assertion on a nil interface, which panics with interface conversion: interface {} is nil, not *context.UESubsData. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable.
This is the no-precondition sibling of free5gc/free5gc#919: same handler, same bug pattern (set pd, do not return, then dereference), but the panic site is the nil-interface type assertion at line 61 instead of the nil-pointer deref at line 69. No earlier EE-subscription create is required.
This endpoint requires a valid nudr-dr OAuth2 access token (PR:L, NOT PR:N), so this is scored as an authenticated panic-DoS, not as an unauth-bypass finding.
Details
Validated against the UDR container in the official Docker compose lab.
- Source repo tag: v4.2.1
- Running Docker image: free5gc/udr:v4.2.1
- Runtime UDR commit: 754d23b0
- Docker validation date: 2026-03-22
- UDR endpoint: http://10.100.200.11:8000
Vulnerable handler (the ok miss path sets pd but does not return; the next line type-asserts the nil interface):
subsId := c.Params.ByName("subsId")
s.Processor().RemoveAmfSubscriptionsInfoProcedure(c, subsId, ueId)
In the processor:
value, ok := udrSelf.UESubsCollection.Load(ueId)
if !ok {
pd = util.ProblemDetailsNotFound("USER_NOT_FOUND")
}
UESubsData := value.(*udr_context.UESubsData) // panics: nil interface
When ueId is absent from UESubsCollection, value is the nil interface{} returned by sync.Map.Load, and value.(*udr_context.UESubsData) panics with:
panic: interface conversion: interface {} is nil, not *context.UESubsData
Code evidence (paths in free5gc/udr):
- Route exposure + handler dispatch:
- NFs/udr/internal/sbi/api_datarepository.go:2161
- NFs/udr/internal/sbi/api_datarepository.go:2170
- NFs/udr/internal/sbi/api_datarepository.go:2172
- Panic root cause (nil interface type assertion):
- NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:53
- NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:56
- NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:61
PoC
Reproduced end-to-end against the running UDR at http://10.100.200.11:8000 -- single authenticated request, no preconditions.
- Restart UDR (clean state -- proves no precondition is needed):
docker restart udr
- Obtain a valid
nudr-drtoken from NRF:
curl -sS -X POST 'http://10.100.200.3:8000/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data 'grant_type=client_credentials&nfType=NEF&nfInstanceId=eb9990de-4cd3-41b0-b5d9-c2102b088c57&targetNfType=UDR&scope=nudr-dr'
- Trigger the panic with one DELETE for a nonexistent
ueId=x:
curl -i -sS -X DELETE \
'http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions' \
-H 'Authorization: Bearer <valid_nudr_dr_jwt>'
HTTP/1.1 500 Internal Server Error
Content-Length: 0
- UDR container logs (
docker logs udr) confirm the nil-interface conversion panic atevent_amf_subscription_info_document.go:61insideRemoveAmfSubscriptionsInfoProcedure:
[ERRO][UDR][GIN] panic: interface conversion: interface {} is nil, not *context.UESubsData
github.com/free5gc/udr/internal/sbi/processor.(*Processor).RemoveAmfSubscriptionsInfoProcedure
.../event_amf_subscription_info_document.go:61
github.com/free5gc/udr/internal/sbi.(*Server).HandleRemoveAmfSubscriptionsInfo
.../api_datarepository.go:2172
[INFO][UDR][GIN] | 500 | DELETE | /nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions |
Impact
Incorrect type conversion on a nil interface (CWE-704) inside an authenticated UDR data-repository handler, caused by improper handling of the missing-ueId branch (CWE-754): the handler sets a 404 problem-details value but does not return, then runs a Go type assertion on the nil interface returned by sync.Map.Load.
This is NOT framed as an auth-bypass finding: the endpoint requires a valid nudr-dr OAuth2 access token. A network attacker who already holds (or can obtain) a valid token can:
- Trigger a reliable, single-request panic on the amf-subscriptions delete route against a fresh UDR (no preparatory state needed -- this is strictly easier than free5gc/free5gc#919).
- Repeat the trigger to sustain a per-request panic-DoS on UDR's data-repository surface, with each panic costing more CPU + log writes than the intended 404 USER_NOT_FOUND response would have.
No Confidentiality impact (the response is 500 with empty body). No Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation (Gin recovers; the UDR process keeps running).
Affected: free5gc v4.2.1.
Upstream issue: https://github.com/free5gc/free5gc/issues/920 Upstream fix: https://github.com/free5gc/udr/pull/60
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/free5gc/udr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44324"
],
"database_specific": {
"cwe_ids": [
"CWE-704",
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T22:52:20Z",
"nvd_published_at": "2026-05-27T17:16:37Z",
"severity": "MODERATE"
},
"details": "### Summary\nfree5GC\u0027s UDR `nudr-dr` `DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions` handler panics on a single authenticated request against a fresh UDR instance when the supplied `ueId` does not exist in `UESubsCollection`. The processor checks `value, ok := udrSelf.UESubsCollection.Load(ueId)` and sets a `404 USER_NOT_FOUND` problem-details on the miss path, but execution continues and immediately runs `value.(*udr_context.UESubsData)` -- a Go type assertion on a nil interface, which panics with `interface conversion: interface {} is nil, not *context.UESubsData`. Gin recovery converts the panic into `HTTP 500`, but the endpoint remains repeatedly panicable.\n\nThis is the no-precondition sibling of free5gc/free5gc#919: same handler, same bug pattern (set `pd`, do not return, then dereference), but the panic site is the nil-interface type assertion at line 61 instead of the nil-pointer deref at line 69. No earlier EE-subscription create is required.\n\nThis endpoint requires a valid `nudr-dr` OAuth2 access token (PR:L, NOT PR:N), so this is scored as an authenticated panic-DoS, not as an unauth-bypass finding.\n\n### Details\nValidated against the UDR container in the official Docker compose lab.\n- Source repo tag: `v4.2.1`\n- Running Docker image: `free5gc/udr:v4.2.1`\n- Runtime UDR commit: `754d23b0`\n- Docker validation date: 2026-03-22\n- UDR endpoint: `http://10.100.200.11:8000`\n\nVulnerable handler (the `ok` miss path sets `pd` but does not return; the next line type-asserts the nil interface):\n```go\nsubsId := c.Params.ByName(\"subsId\")\ns.Processor().RemoveAmfSubscriptionsInfoProcedure(c, subsId, ueId)\n```\nIn the processor:\n```go\nvalue, ok := udrSelf.UESubsCollection.Load(ueId)\nif !ok {\n pd = util.ProblemDetailsNotFound(\"USER_NOT_FOUND\")\n}\n\nUESubsData := value.(*udr_context.UESubsData) // panics: nil interface\n```\nWhen `ueId` is absent from `UESubsCollection`, `value` is the nil `interface{}` returned by `sync.Map.Load`, and `value.(*udr_context.UESubsData)` panics with:\n```\npanic: interface conversion: interface {} is nil, not *context.UESubsData\n```\n\nCode evidence (paths in `free5gc/udr`):\n- Route exposure + handler dispatch:\n - `NFs/udr/internal/sbi/api_datarepository.go:2161`\n - `NFs/udr/internal/sbi/api_datarepository.go:2170`\n - `NFs/udr/internal/sbi/api_datarepository.go:2172`\n- Panic root cause (nil interface type assertion):\n - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:53`\n - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:56`\n - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:61`\n\n### PoC\nReproduced end-to-end against the running UDR at `http://10.100.200.11:8000` -- single authenticated request, no preconditions.\n\n1. Restart UDR (clean state -- proves no precondition is needed):\n```\ndocker restart udr\n```\n\n2. Obtain a valid `nudr-dr` token from NRF:\n```\ncurl -sS -X POST \u0027http://10.100.200.3:8000/oauth2/token\u0027 \\\n -H \u0027Content-Type: application/x-www-form-urlencoded\u0027 \\\n --data \u0027grant_type=client_credentials\u0026nfType=NEF\u0026nfInstanceId=eb9990de-4cd3-41b0-b5d9-c2102b088c57\u0026targetNfType=UDR\u0026scope=nudr-dr\u0027\n```\n\n3. Trigger the panic with one DELETE for a nonexistent `ueId=x`:\n```\ncurl -i -sS -X DELETE \\\n \u0027http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions\u0027 \\\n -H \u0027Authorization: Bearer \u003cvalid_nudr_dr_jwt\u003e\u0027\n```\n```\nHTTP/1.1 500 Internal Server Error\nContent-Length: 0\n```\n\n4. UDR container logs (`docker logs udr`) confirm the nil-interface conversion panic at `event_amf_subscription_info_document.go:61` inside `RemoveAmfSubscriptionsInfoProcedure`:\n```\n[ERRO][UDR][GIN] panic: interface conversion: interface {} is nil, not *context.UESubsData\ngithub.com/free5gc/udr/internal/sbi/processor.(*Processor).RemoveAmfSubscriptionsInfoProcedure\n .../event_amf_subscription_info_document.go:61\ngithub.com/free5gc/udr/internal/sbi.(*Server).HandleRemoveAmfSubscriptionsInfo\n .../api_datarepository.go:2172\n[INFO][UDR][GIN] | 500 | DELETE | /nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions |\n```\n\n### Impact\nIncorrect type conversion on a nil interface (CWE-704) inside an authenticated UDR data-repository handler, caused by improper handling of the missing-ueId branch (CWE-754): the handler sets a `404` problem-details value but does not return, then runs a Go type assertion on the nil interface returned by `sync.Map.Load`.\n\nThis is NOT framed as an auth-bypass finding: the endpoint requires a valid `nudr-dr` OAuth2 access token. A network attacker who already holds (or can obtain) a valid token can:\n- Trigger a reliable, single-request panic on the `amf-subscriptions` delete route against a fresh UDR (no preparatory state needed -- this is strictly easier than free5gc/free5gc#919).\n- Repeat the trigger to sustain a per-request panic-DoS on UDR\u0027s data-repository surface, with each panic costing more CPU + log writes than the intended `404 USER_NOT_FOUND` response would have.\n\nNo Confidentiality impact (the response is `500` with empty body). No Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation (Gin recovers; the UDR process keeps running).\n\nAffected: free5gc v4.2.1.\n\nUpstream issue: https://github.com/free5gc/free5gc/issues/920\nUpstream fix: https://github.com/free5gc/udr/pull/60",
"id": "GHSA-jqfc-gwj5-3w63",
"modified": "2026-06-08T23:48:08Z",
"published": "2026-05-08T22:52:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-jqfc-gwj5-3w63"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44324"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/free5gc/issues/920"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/udr/pull/60"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/udr/commit/8a1d3c63be99d378806d771f086ff32f1867da99"
},
{
"type": "PACKAGE",
"url": "https://github.com/free5gc/free5gc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "free5GC\u0027s UDR nudr-dr DELETE amf-subscriptions panics on missing UE state via nil interface type assertion (single authenticated request)"
}
GHSA-JRVR-GM38-G3H7
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42Improper conditions check in some Intel(R) Graphics Drivers before versions 26.20.100.8141, 15.45.32.5145 and 15.40.46.5144 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2020-24450"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-17T14:15:00Z",
"severity": "HIGH"
},
"details": "Improper conditions check in some Intel(R) Graphics Drivers before versions 26.20.100.8141, 15.45.32.5145 and 15.40.46.5144 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-jrvr-gm38-g3h7",
"modified": "2022-05-24T17:42:27Z",
"published": "2022-05-24T17:42:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24450"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JVXQ-MJ7W-PQW7
Vulnerability from github – Published: 2022-05-14 01:14 – Updated: 2022-05-14 01:14FastStone Image Viewer 6.5 has an Exception Handler Chain Corrupted issue starting at image00400000+0x00000000003ef68a via a crafted image file.
{
"affected": [],
"aliases": [
"CVE-2018-15815"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-26T20:29:00Z",
"severity": "MODERATE"
},
"details": "FastStone Image Viewer 6.5 has an Exception Handler Chain Corrupted issue starting at image00400000+0x00000000003ef68a via a crafted image file.",
"id": "GHSA-jvxq-mj7w-pqw7",
"modified": "2022-05-14T01:14:56Z",
"published": "2022-05-14T01:14:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15815"
},
{
"type": "WEB",
"url": "https://0x00crashes.blogspot.com/2018/08/faststone-image-viewer-65-few-crashes.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JW9R-R4MJ-MPXX
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2024-04-04 00:49An unhandled exception vulnerability exists during Google Sign-In with Google API C++ Client before 2019-04-10. It potentially causes an outage of third-party services that were not designed to recover from exceptions. On the client, ID token handling can cause an unhandled exception because of misinterpretation of an integer as a string, resulting in denial-of-service and then other users can no longer login/sign-in to the affected third-party service. Once this third-party service uses Google Sign-In with google-api-cpp-client, a malicious user can trigger this client/auth/oauth2_authorization.cc vulnerability by requesting the client to receive the ID token from a Google authentication server.
{
"affected": [],
"aliases": [
"CVE-2018-20840"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-30T16:29:00Z",
"severity": "HIGH"
},
"details": "An unhandled exception vulnerability exists during Google Sign-In with Google API C++ Client before 2019-04-10. It potentially causes an outage of third-party services that were not designed to recover from exceptions. On the client, ID token handling can cause an unhandled exception because of misinterpretation of an integer as a string, resulting in denial-of-service and then other users can no longer login/sign-in to the affected third-party service. Once this third-party service uses Google Sign-In with google-api-cpp-client, a malicious user can trigger this client/auth/oauth2_authorization.cc vulnerability by requesting the client to receive the ID token from a Google authentication server.",
"id": "GHSA-jw9r-r4mj-mpxx",
"modified": "2024-04-04T00:49:52Z",
"published": "2022-05-24T16:46:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20840"
},
{
"type": "WEB",
"url": "https://github.com/google/google-api-cpp-client/issues/57"
},
{
"type": "WEB",
"url": "https://github.com/google/google-api-cpp-client/pull/58"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JWCH-W7WH-GQJM
Vulnerability from github – Published: 2026-04-21 19:05 – Updated: 2026-04-24 21:11Summary
A fail-open request handling flaw in the UDR service causes the /nudr-dr/v2/policy-data/subs-to-notify POST handler to continue processing requests even after request body retrieval or deserialization errors.
This may allow unintended creation of Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior.
Details
The endpoint POST /nudr-dr/v2/policy-data/subs-to-notify is intended to create a Policy Data notification subscription only after the HTTP request body has been successfully read and parsed into a valid PolicyDataSubscription object. [file:93]
In the free5GC UDR implementation, the function HandlePolicyDataSubsToNotifyPost in NFs/udr/internal/sbi/api_datarepository.go does not terminate execution after input-processing failures. [file:93]
The request flow is:
- The handler calls
c.GetRawData()to read the HTTP request body. [file:93] - If
GetRawData()fails, the handler sends an HTTP 500 error response, but does not return. [file:93] - The handler then calls
openapi.Deserialize(policyDataSubscription, reqBody, "application/json"). [file:93] - If deserialization fails, the handler sends an HTTP 400 error response, but again does not return. [file:93]
- Execution continues and the handler still invokes
s.Processor().PolicyDataSubsToNotifyPostProcedure(c,policyDataSubscription). [file:93]
As a result, the endpoint operates in a fail-open manner: request processing may continue after fatal input validation or body handling errors, instead of being safely aborted. [file:93]
This differs from safer handlers in the same file, which use a helper pattern that explicitly returns on body read or deserialization failure before calling the corresponding processor routine. [file:93]
Security Impact
This issue affects a write-capable API that creates Policy Data notification subscriptions. [file:93]
Because execution continues after body read or parsing failure, the processor may receive an uninitialized, partially initialized, or otherwise unintended PolicyDataSubscription object. [file:93]
The exact runtime impact depends on downstream processor behavior and storage validation. [file:93]
At minimum, this is a security-relevant robustness flaw that can lead to inconsistent request handling; under certain runtime conditions it may allow creation of invalid or unintended subscription state. [file:93]
Reproduction Status
The code path has been statically confirmed. [file:93] A complete runtime proof of unintended subscription creation after GetRawData() or deserialization failure has not yet been established. [file:93]
Patch
The handler should immediately terminate after sending an error response for body read or deserialization failure. [file:93]
A minimal fix is to add missing return statements in HandlePolicyDataSubsToNotifyPost:
reqBody, err := c.GetRawData()
if err != nil {
logger.DataRepoLog.Errorf("Get Request Body error: %+v", err)
pd := openapi.ProblemDetailsSystemFailure(err.Error())
c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)
c.JSON(http.StatusInternalServerError, pd)
return
}
err = openapi.Deserialize(&policyDataSubscription, reqBody, "application/json")
if err != nil {
logger.DataRepoLog.Errorf("Deserialize Request Body error: %+v", err)
pd := util.ProblemDetailsMalformedReqSyntax(err.Error())
c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)
c.JSON(http.StatusBadRequest, pd)
return
}
Additionally, the deserialization call should pass a pointer to the destination object so that the parsed body is written into the intended structure. [file:93]
Details
The issue is compounded by the handler's deserialization call, which passes
policyDataSubscription directly to openapi.Deserialize(...) instead of
passing a pointer to the destination object. This inconsistent usage further
increases the risk that request processing continues with an empty, partially
initialized, or otherwise unintended subscription object. [file:93]
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/free5gc/udr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40343"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-21T19:05:18Z",
"nvd_published_at": "2026-04-22T00:16:27Z",
"severity": "MODERATE"
},
"details": "### Summary\nA fail-open request handling flaw in the UDR service causes the `/nudr-dr/v2/policy-data/subs-to-notify` POST handler to continue processing requests even after request body retrieval or deserialization errors.\n\nThis may allow unintended creation of Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior.\n\n### Details\nThe endpoint `POST /nudr-dr/v2/policy-data/subs-to-notify` is intended to create a Policy Data notification subscription only after the HTTP request body has been successfully read and parsed into a valid `PolicyDataSubscription` object. [file:93]\n\nIn the free5GC UDR implementation, the function `HandlePolicyDataSubsToNotifyPost` in `NFs/udr/internal/sbi/api_datarepository.go` does not terminate execution after input-processing failures. [file:93]\n\nThe request flow is:\n\n1. The handler calls `c.GetRawData()` to read the HTTP request body. [file:93]\n2. If `GetRawData()` fails, the handler sends an HTTP 500 error response, but **does not return**. [file:93]\n3. The handler then calls `openapi.Deserialize(policyDataSubscription, reqBody, \"application/json\")`. [file:93]\n4. If deserialization fails, the handler sends an HTTP 400 error response, but again **does not return**. [file:93]\n5. Execution continues and the handler still invokes `s.Processor().PolicyDataSubsToNotifyPostProcedure(c,policyDataSubscription)`. [file:93]\n\nAs a result, the endpoint operates in a fail-open manner: request processing may continue after fatal input validation or body handling errors, instead of being safely aborted. [file:93]\n\nThis differs from safer handlers in the same file, which use a helper pattern that explicitly returns on body read or deserialization failure before calling the corresponding processor routine. [file:93]\n\n### Security Impact\nThis issue affects a write-capable API that creates Policy Data notification subscriptions. [file:93] \nBecause execution continues after body read or parsing failure, the processor may receive an uninitialized, partially initialized, or otherwise unintended `PolicyDataSubscription` object. [file:93]\n\nThe exact runtime impact depends on downstream processor behavior and storage validation. [file:93] \nAt minimum, this is a security-relevant robustness flaw that can lead to inconsistent request handling; under certain runtime conditions it may allow creation of invalid or unintended subscription state. [file:93]\n\n### Reproduction Status\nThe code path has been statically confirmed. [file:93] A complete runtime proof of unintended subscription creation after `GetRawData()` or deserialization failure has not yet been established. [file:93]\n\n### Patch\nThe handler should immediately terminate after sending an error response for body read or deserialization failure. [file:93]\n\nA minimal fix is to add missing `return` statements in `HandlePolicyDataSubsToNotifyPost`:\n\n```go\nreqBody, err := c.GetRawData()\nif err != nil {\n logger.DataRepoLog.Errorf(\"Get Request Body error: %+v\", err)\n pd := openapi.ProblemDetailsSystemFailure(err.Error())\n c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)\n c.JSON(http.StatusInternalServerError, pd)\n return\n}\n\nerr = openapi.Deserialize(\u0026policyDataSubscription, reqBody, \"application/json\")\nif err != nil {\n logger.DataRepoLog.Errorf(\"Deserialize Request Body error: %+v\", err)\n pd := util.ProblemDetailsMalformedReqSyntax(err.Error())\n c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)\n c.JSON(http.StatusBadRequest, pd)\n return\n}\n```\nAdditionally, the deserialization call should pass a pointer to the destination\nobject so that the parsed body is written into the intended structure. [file:93]\n\n###Details\nThe issue is compounded by the handler\u0027s deserialization call, which passes\n`policyDataSubscription` directly to `openapi.Deserialize(...)` instead of\npassing a pointer to the destination object. This inconsistent usage further\nincreases the risk that request processing continues with an empty, partially\ninitialized, or otherwise unintended subscription object. [file:93]",
"id": "GHSA-jwch-w7wh-gqjm",
"modified": "2026-04-24T21:11:11Z",
"published": "2026-04-21T19:05:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-jwch-w7wh-gqjm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40343"
},
{
"type": "PACKAGE",
"url": "https://github.com/free5gc/free5gc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "free5GC UDR: Fail-open handling in PolicyDataSubsToNotifyPost allows unintended subscription creation"
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248).
Mitigation
Check the results of all functions that return a value and verify that the value is expected.
Mitigation
If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248).
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
- Exposing additional information to a potential attacker in the context of an exceptional condition can help the attacker determine what attack vectors are most likely to succeed beyond DoS.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-38
If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.
Mitigation
Use system limits, which should help to prevent resource exhaustion. However, the product should still handle low resource conditions since they may still occur.
No CAPEC attack patterns related to this CWE.