Vulnerability-Lookup

CVE-2026-44322 (GCVE-0-2026-44322)

Vulnerability from cvelistv5 – Published: 2026-05-27 15:46 – Updated: 2026-05-27 15:46

Title

free5GC: NEF 3gpp-pfd-management PATCH applications/{appId} panics on UDR access failure due to nil ProblemDetails dereference

Summary

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil *ProblemDetails. The handler's errPfdData != nil branch builds its own problemDetailsErr correctly, but immediately after it reads problemDetails.Cause (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into HTTP 500, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing. This vulnerability is fixed in 4.2.2.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference
CWE-754 - Improper Check for Unusual or Exceptional Conditions

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/free5gc/free5gc/security/advis…	x_refsource_CONFIRM
https://github.com/free5gc/free5gc/issues/925	x_refsource_MISC
https://github.com/free5gc/nef/pull/22	x_refsource_MISC
https://github.com/free5gc/nef/commit/72a47f3fab4…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
free5gc	free5gc	Affected: < 4.2.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "free5gc",
          "vendor": "free5gc",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.2.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC\u0027s NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil *ProblemDetails. The handler\u0027s errPfdData != nil branch builds its own problemDetailsErr correctly, but immediately after it reads problemDetails.Cause (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into HTTP 500, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing. This vulnerability is fixed in 4.2.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476: NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-754",
              "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T15:46:10.475Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-j59f-x285-69jx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-j59f-x285-69jx"
        },
        {
          "name": "https://github.com/free5gc/free5gc/issues/925",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/free5gc/free5gc/issues/925"
        },
        {
          "name": "https://github.com/free5gc/nef/pull/22",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/free5gc/nef/pull/22"
        },
        {
          "name": "https://github.com/free5gc/nef/commit/72a47f3fab4dffbd227f8d92c5f69dca93b610cb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/free5gc/nef/commit/72a47f3fab4dffbd227f8d92c5f69dca93b610cb"
        }
      ],
      "source": {
        "advisory": "GHSA-j59f-x285-69jx",
        "discovery": "UNKNOWN"
      },
      "title": "free5GC: NEF 3gpp-pfd-management PATCH applications/{appId} panics on UDR access failure due to nil ProblemDetails dereference"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44322",
    "datePublished": "2026-05-27T15:46:10.475Z",
    "dateReserved": "2026-05-05T19:00:06.022Z",
    "dateUpdated": "2026-05-27T15:46:10.475Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44322\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-27T17:16:37.480\",\"lastModified\":\"2026-05-27T17:16:37.480\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC\u0027s NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil *ProblemDetails. The handler\u0027s errPfdData != nil branch builds its own problemDetailsErr correctly, but immediately after it reads problemDetails.Cause (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into HTTP 500, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing. This vulnerability is fixed in 4.2.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"},{\"lang\":\"en\",\"value\":\"CWE-754\"}]}],\"references\":[{\"url\":\"https://github.com/free5gc/free5gc/issues/925\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/free5gc/free5gc/security/advisories/GHSA-j59f-x285-69jx\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/free5gc/nef/commit/72a47f3fab4dffbd227f8d92c5f69dca93b610cb\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/free5gc/nef/pull/22\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

FKIE_CVE-2026-44322

Vulnerability from fkie_nvd - Published: 2026-05-27 17:16 - Updated: 2026-05-27 17:16

Severity

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/free5gc/free5gc/issues/925
	security-advisories@github.com	https://github.com/free5gc/free5gc/security/advisories/GHSA-j59f-x285-69jx
	security-advisories@github.com	https://github.com/free5gc/nef/commit/72a47f3fab4dffbd227f8d92c5f69dca93b610cb
	security-advisories@github.com	https://github.com/free5gc/nef/pull/22

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC\u0027s NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil *ProblemDetails. The handler\u0027s errPfdData != nil branch builds its own problemDetailsErr correctly, but immediately after it reads problemDetails.Cause (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into HTTP 500, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing. This vulnerability is fixed in 4.2.2."
    }
  ],
  "id": "CVE-2026-44322",
  "lastModified": "2026-05-27T17:16:37.480",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-27T17:16:37.480",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/free5gc/free5gc/issues/925"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-j59f-x285-69jx"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/free5gc/nef/commit/72a47f3fab4dffbd227f8d92c5f69dca93b610cb"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/free5gc/nef/pull/22"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        },
        {
          "lang": "en",
          "value": "CWE-754"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-J59F-X285-69JX

Vulnerability from github – Published: 2026-05-08 22:50 – Updated: 2026-05-08 22:50

Summary

free5GC's NEF 3gpp-pfd-management PATCH applications/{appId} panics on UDR access failure due to nil ProblemDetails dereference

Details

Summary

free5GC's NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil *ProblemDetails. The handler's errPfdData != nil branch builds its own problemDetailsErr correctly, but immediately after it reads problemDetails.Cause (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into HTTP 500, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing.

This is a second-order bug: the trigger requires UDR access to be failing (e.g. NRF or UDR is unreachable, registration broken, transient network failure). The attacker does not directly control that condition, so this is scored as AC:H. Once the upstream condition exists, the trigger is a single PATCH request and is repeatable.

The HTTP request itself in v4.2.1 is reachable without an Authorization header because the underlying NEF 3gpp-pfd-management route group is mounted without inbound auth middleware (see free5gc/free5gc#858). So in the validation lab the entire trigger chain is unauthenticated end-to-end.

Details

Validated against the NEF container in the official Docker compose lab. - Source repo tag: v4.2.1 - Running Docker image: free5gc/nef:v4.2.1 - Runtime NEF commit: 5ce35eab - Docker validation date: 2026-03-21 (container log timestamp 2026-03-21T03:06:36Z) - NEF endpoint: http://10.100.200.19:8000

Vulnerable handler logic in PatchIndividualApplicationPFDManagement (paraphrased):

pdfData, problemDetails, errPfdData := p.Consumer().AppDataPfdsAppIdGet(appID)

switch {
case problemDetails != nil:
    ...
case errPfdData != nil:
    problemDetailsErr := &models.ProblemDetails{
        Status: http.StatusInternalServerError,
        Detail: "Query to UDR failed",
    }
    c.Set(sbi.IN_PB_DETAILS_CTX_STR, problemDetails.Cause)   // <-- nil deref
    c.JSON(int(problemDetailsErr.Status), problemDetailsErr)
    return
}

In the errPfdData != nil branch, problemDetails is by construction nil (otherwise the first case would have matched). Reading problemDetails.Cause panics with runtime error: invalid memory address or nil pointer dereference. The intended value is presumably problemDetailsErr.Cause -- the locally constructed problem-details struct.

Code evidence (paths in free5gc/nef): - Patch handler core path: - NFs/nef/internal/sbi/processor/pfd.go:563 - NFs/nef/internal/sbi/processor/pfd.go:610 - Panic site (nil-deref on problemDetails.Cause): - NFs/nef/internal/sbi/processor/pfd.go:622 - Route exposure / dispatch: - NFs/nef/internal/sbi/api_pfd.go:168 - NFs/nef/internal/sbi/api_pfd.go:188

PoC

Reproduced end-to-end against the running NEF at http://10.100.200.19:8000. The trigger requires UDR access to be failing -- the lab simulates this by stopping NRF (so NEF's UDR client fails to discover/dial UDR). In production, equivalent triggers include NRF outages, UDR outages, or transient network failures.

Create an AF context (no Authorization header):

curl -i -X POST 'http://10.100.200.19:8000/3gpp-traffic-influence/v1/afnpd3/subscriptions' \
  -H 'Content-Type: application/json' \
  --data '{"afAppId":"app-nef-npd3","anyUeInd":true}'

Create a PFD-management transaction:

curl -i -X POST 'http://10.100.200.19:8000/3gpp-pfd-management/v1/afnpd3/transactions' \
  -H 'Content-Type: application/json' \
  --data '{"pfdDatas":{"appnpd3":{"externalAppId":"appnpd3","pfds":{"pfd1":{"pfdId":"pfd1","flowDescriptions":["permit in ip from 10.68.28.39 80 to any"]}}}}}'

Make UDR access fail (lab simulation):

docker stop nrf

Trigger the panic with one PATCH:

curl -i -X PATCH 'http://10.100.200.19:8000/3gpp-pfd-management/v1/afnpd3/transactions/1/applications/appnpd3' \
  -H 'Content-Type: application/json' \
  --data '{"externalAppId":"appnpd3","pfds":{"pfd1":{"pfdId":"pfd1","flowDescriptions":[]}}}'

HTTP/1.1 500 Internal Server Error
Content-Length: 0

NEF container logs (docker logs --since 2026-03-21T03:06:36Z nef) confirm the nil-deref panic at pfd.go:622 inside PatchIndividualApplicationPFDManagement:

[INFO][NEF][PFDMng] PatchIndividualApplicationPFDManagement - scsAsID[afnpd3], transID[1], appID[appnpd3]
[ERRO][NEF][GIN] panic: runtime error: invalid memory address or nil pointer dereference
github.com/free5gc/nef/internal/sbi/processor.(*Processor).PatchIndividualApplicationPFDManagement
    .../pfd.go:622
github.com/free5gc/nef/internal/sbi.(*Server).apiPatchIndividualApplicationPFDManagement
    .../api_pfd.go:188
[INFO][NEF][GIN] | 500 | PATCH | /3gpp-pfd-management/v1/afnpd3/transactions/1/applications/appnpd3 |

Restore for further testing:

docker start nrf

Impact

NULL pointer dereference (CWE-476) caused by improper handling of an exceptional branch (CWE-754): the errPfdData != nil branch reads problemDetails.Cause even though problemDetails is nil by construction in that branch (the prior case already matched the non-nil case). The intended target was the locally constructed problemDetailsErr.Cause.

Gin recovery catches the panic, so the NEF process is NOT killed and other endpoints continue serving. The realized impact is per-request: PATCH against this endpoint returns 500 (with empty body and a stack trace in NEF logs) instead of the intended controlled UDR-failure response, whenever upstream UDR access is failing.

No Confidentiality impact (the response is 500 with empty body). No persistent Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation and only fires while UDR access is independently broken; the attacker does not directly control that precondition, so AC:H is the honest assessment.

Affected: free5gc v4.2.1.

Upstream issue: https://github.com/free5gc/free5gc/issues/925 Upstream fix: https://github.com/free5gc/nef/pull/22

Severity

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/free5gc/nef"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476",
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T22:50:57Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nfree5GC\u0027s NEF `PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId}` handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns `err != nil` together with a nil `*ProblemDetails`. The handler\u0027s `errPfdData != nil` branch builds its own `problemDetailsErr` correctly, but immediately after it reads `problemDetails.Cause` (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into `HTTP 500`, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing.\n\nThis is a second-order bug: the trigger requires UDR access to be failing (e.g. NRF or UDR is unreachable, registration broken, transient network failure). The attacker does not directly control that condition, so this is scored as AC:H. Once the upstream condition exists, the trigger is a single PATCH request and is repeatable.\n\nThe HTTP request itself in v4.2.1 is reachable without an `Authorization` header because the underlying NEF `3gpp-pfd-management` route group is mounted without inbound auth middleware (see free5gc/free5gc#858). So in the validation lab the entire trigger chain is unauthenticated end-to-end.\n\n### Details\nValidated against the NEF container in the official Docker compose lab.\n- Source repo tag: `v4.2.1`\n- Running Docker image: `free5gc/nef:v4.2.1`\n- Runtime NEF commit: `5ce35eab`\n- Docker validation date: 2026-03-21 (container log timestamp `2026-03-21T03:06:36Z`)\n- NEF endpoint: `http://10.100.200.19:8000`\n\nVulnerable handler logic in `PatchIndividualApplicationPFDManagement` (paraphrased):\n```go\npdfData, problemDetails, errPfdData := p.Consumer().AppDataPfdsAppIdGet(appID)\n\nswitch {\ncase problemDetails != nil:\n    ...\ncase errPfdData != nil:\n    problemDetailsErr := \u0026models.ProblemDetails{\n        Status: http.StatusInternalServerError,\n        Detail: \"Query to UDR failed\",\n    }\n    c.Set(sbi.IN_PB_DETAILS_CTX_STR, problemDetails.Cause)   // \u003c-- nil deref\n    c.JSON(int(problemDetailsErr.Status), problemDetailsErr)\n    return\n}\n```\nIn the `errPfdData != nil` branch, `problemDetails` is by construction nil (otherwise the first `case` would have matched). Reading `problemDetails.Cause` panics with `runtime error: invalid memory address or nil pointer dereference`. The intended value is presumably `problemDetailsErr.Cause` -- the locally constructed problem-details struct.\n\nCode evidence (paths in `free5gc/nef`):\n- Patch handler core path:\n  - `NFs/nef/internal/sbi/processor/pfd.go:563`\n  - `NFs/nef/internal/sbi/processor/pfd.go:610`\n- Panic site (nil-deref on `problemDetails.Cause`):\n  - `NFs/nef/internal/sbi/processor/pfd.go:622`\n- Route exposure / dispatch:\n  - `NFs/nef/internal/sbi/api_pfd.go:168`\n  - `NFs/nef/internal/sbi/api_pfd.go:188`\n\n### PoC\nReproduced end-to-end against the running NEF at `http://10.100.200.19:8000`. The trigger requires UDR access to be failing -- the lab simulates this by stopping NRF (so NEF\u0027s UDR client fails to discover/dial UDR). In production, equivalent triggers include NRF outages, UDR outages, or transient network failures.\n\n1. Create an AF context (no Authorization header):\n```\ncurl -i -X POST \u0027http://10.100.200.19:8000/3gpp-traffic-influence/v1/afnpd3/subscriptions\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  --data \u0027{\"afAppId\":\"app-nef-npd3\",\"anyUeInd\":true}\u0027\n```\n\n2. Create a PFD-management transaction:\n```\ncurl -i -X POST \u0027http://10.100.200.19:8000/3gpp-pfd-management/v1/afnpd3/transactions\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  --data \u0027{\"pfdDatas\":{\"appnpd3\":{\"externalAppId\":\"appnpd3\",\"pfds\":{\"pfd1\":{\"pfdId\":\"pfd1\",\"flowDescriptions\":[\"permit in ip from 10.68.28.39 80 to any\"]}}}}}\u0027\n```\n\n3. Make UDR access fail (lab simulation):\n```\ndocker stop nrf\n```\n\n4. Trigger the panic with one PATCH:\n```\ncurl -i -X PATCH \u0027http://10.100.200.19:8000/3gpp-pfd-management/v1/afnpd3/transactions/1/applications/appnpd3\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  --data \u0027{\"externalAppId\":\"appnpd3\",\"pfds\":{\"pfd1\":{\"pfdId\":\"pfd1\",\"flowDescriptions\":[]}}}\u0027\n```\n```\nHTTP/1.1 500 Internal Server Error\nContent-Length: 0\n```\n\n5. NEF container logs (`docker logs --since 2026-03-21T03:06:36Z nef`) confirm the nil-deref panic at `pfd.go:622` inside `PatchIndividualApplicationPFDManagement`:\n```\n[INFO][NEF][PFDMng] PatchIndividualApplicationPFDManagement - scsAsID[afnpd3], transID[1], appID[appnpd3]\n[ERRO][NEF][GIN] panic: runtime error: invalid memory address or nil pointer dereference\ngithub.com/free5gc/nef/internal/sbi/processor.(*Processor).PatchIndividualApplicationPFDManagement\n    .../pfd.go:622\ngithub.com/free5gc/nef/internal/sbi.(*Server).apiPatchIndividualApplicationPFDManagement\n    .../api_pfd.go:188\n[INFO][NEF][GIN] | 500 | PATCH | /3gpp-pfd-management/v1/afnpd3/transactions/1/applications/appnpd3 |\n```\n\n6. Restore for further testing:\n```\ndocker start nrf\n```\n\n### Impact\nNULL pointer dereference (CWE-476) caused by improper handling of an exceptional branch (CWE-754): the `errPfdData != nil` branch reads `problemDetails.Cause` even though `problemDetails` is nil by construction in that branch (the prior `case` already matched the non-nil case). The intended target was the locally constructed `problemDetailsErr.Cause`.\n\nGin recovery catches the panic, so the NEF process is NOT killed and other endpoints continue serving. The realized impact is per-request: PATCH against this endpoint returns `500` (with empty body and a stack trace in NEF logs) instead of the intended controlled UDR-failure response, whenever upstream UDR access is failing.\n\nNo Confidentiality impact (the response is `500` with empty body). No persistent Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation and only fires while UDR access is independently broken; the attacker does not directly control that precondition, so AC:H is the honest assessment.\n\nAffected: free5gc v4.2.1.\n\nUpstream issue: https://github.com/free5gc/free5gc/issues/925\nUpstream fix: https://github.com/free5gc/nef/pull/22",
  "id": "GHSA-j59f-x285-69jx",
  "modified": "2026-05-08T22:50:57Z",
  "published": "2026-05-08T22:50:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-j59f-x285-69jx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/issues/925"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/nef/pull/22"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/nef/commit/72a47f3fab4dffbd227f8d92c5f69dca93b610cb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/free5gc/free5gc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "free5GC\u0027s NEF 3gpp-pfd-management PATCH applications/{appId} panics on UDR access failure due to nil ProblemDetails dereference"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44322 (GCVE-0-2026-44322)

FKIE_CVE-2026-44322

GHSA-J59F-X285-69JX

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature