How is CVE-2026-42459 exploited?

Network reachability (required): The vulnerable nudm-sdm GET handlers are exposed over the network, so the attacker must be able to reach the UDM service endpoint across the network. Authentication (not-required): No credentials or session token are needed; the attacker can send a crafted SUPI parameter as an anonymous, unauthenticated request. Victim interaction (not-required): Exploitation is fully attacker-driven and requires no action from any user or operator of the affected system. Attack complexity (info): The exploit is reliable and condition-free: injecting control characters into a path parameter requires no special timing, memory layout knowledge, or environmental pre-conditions.

What is the impact of CVE-2026-42459?

A successful attacker reads internal infrastructure details (such as internal hostnames, service addresses, or stack traces) returned in the 500 Internal Server Error response body from UDR. Exposed infrastructure details can be used to map the internal 5G core topology, accelerating follow-on attacks against UDR or other core network functions. Subscriber identity handling paths are disrupted: repeated malformed requests cause UDM to return error responses, degrading the Subscriber Data Management service for legitimate operations.

Back to search

HIGHCVE-2026-42459Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-42459: free5GC: Improper Input Validation and Generation of Error Message Containing Sensitive Information in github.com/free5gc/udm

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm (Subscriber Data Management) service. An unauthenticated attacker can inject control characters into the SUPI parameter, causing UDM to forward a malformed request to UDR and return a 500 Internal Server Error response that exposes internal infrastructure details. This vulnerability is fixed in 4.2.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Improper input validation in the free5GC UDM (Unified Data Management) component allows an unauthenticated attacker to inject control characters into the SUPI (Subscriber Permanent Identifier) path parameter across six GET handlers in the nudm-sdm service. The malformed request is forwarded to the UDR (Unified Data Repository), triggering a 500 Internal Server Error response that leaks internal infrastructure details. No fix version has been published upstream yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as a fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle the free5GC UDM component.

Available

Triage

HarborGuard scores this CVE at 7.7 HIGH using the CVSS v4.0 vector and weights findings against each customer organization's compliance policy, routing alerts to the appropriate team inbox based on configured severity thresholds and workload ownership.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment free5GC ships version 4.2.2 or later. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable nudm-sdm GET handlers are exposed over the network, so the attacker must be able to reach the UDM service endpoint across the network.
AuthenticationNot required
No credentials or session token are needed; the attacker can send a crafted SUPI parameter as an anonymous, unauthenticated request.
Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any user or operator of the affected system.
Attack complexityDetail
The exploit is reliable and condition-free: injecting control characters into a path parameter requires no special timing, memory layout knowledge, or environmental pre-conditions.

Blast Radius

A successful attacker reads internal infrastructure details (such as internal hostnames, service addresses, or stack traces) returned in the 500 Internal Server Error response body from UDR.
Exposed infrastructure details can be used to map the internal 5G core topology, accelerating follow-on attacks against UDR or other core network functions.
Subscriber identity handling paths are disrupted: repeated malformed requests cause UDM to return error responses, degrading the Subscriber Data Management service for legitimate operations.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for this CVE, HarborGuard continuously re-checks the advisory on every ingest cycle. The moment free5GC publishes version 4.2.2 or later, a patched-image rebuild will become available, and customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads automatically. In the interim, compensating controls are worth considering: network policy rules that restrict access to the UDM nudm-sdm endpoints to known internal callers only, egress filtering to limit which services UDM can forward requests to (reducing the surface of information returned in error responses), and alerting on anomalous 500-series response rates from UDM as a detection signal for active probing. Customers who wish to be notified the moment a rebuild becomes available should confirm that CVE alerting for the free5gc/free5gc package group is active in their HarborGuard notification settings.

See how HarborGuard automates this

CVSS v4.0: 7.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

free5gc / free5gc
< 4.2.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

References

https://github.com/free5gc/free5gc/security/advisories/GHSA-585v-hcgf-jhfr