HarborGuard / CVE
Back to search
HIGHCVE-2026-44316Published Modified CNA GitHub_M

CVE-2026-44316: free5GC: PCF npcf-smpolicycontrol POST /sm-policies panics on downstream UDR/OpenAPI 404 via nil pointer dereference

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's PCF POST /npcf-smpolicycontrol/v1/sm-policies handler (HandleCreateSmPolicyRequest) panics with a nil-pointer dereference when a downstream OpenAPI consumer call (UDR lookup) returns 404 Not Found and the consumer wrapper returns err != nil together with a nil response struct. The handler logs the OpenAPI error and continues executing instead of returning, then dereferences the nil response struct on a subsequent line and panics. Gin recovery converts the panic into HTTP 500, so a single attacker-shaped POST returns 500 instead of a clean 4xx whenever the downstream lookup fails. The PCF process keeps running. The trigger is a single POST containing input that causes the downstream UDR lookup to fail (e.g. an unknown DNN). In 4.2.1 this endpoint is also reachable WITHOUT an Authorization header because the PCF Npcf_SMPolicyControl route group is mounted without inbound auth middleware. This vulnerability is fixed in 4.2.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A nil-pointer dereference in free5GC's Policy Control Function (PCF) causes the HTTP handler for POST /npcf-smpolicycontrol/v1/sm-policies to panic whenever a downstream UDR lookup returns a 404 Not Found response. The endpoint is reachable over the network with no authentication required, because the route group is mounted without inbound auth middleware in affected versions. A single crafted POST request (for example, referencing an unknown Data Network Name) triggers the panic, causing Gin's recovery middleware to return HTTP 500 and disrupting policy control operations. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream publishes a fix version.

HarborGuard Coverage

Detection

Detection for CVE-2026-44316 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all images in customer registries and CI/CD pipelines, including custom-built 5G core images derived from free5GC base layers.

Available
Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and weights it against each environment's compliance policy to determine routing priority; findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no fix version has been published upstream for CVE-2026-44316, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without any manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network, so an attacker must be able to send HTTP POST requests to the PCF service to trigger the panic.

  • AuthenticationNot required

    No authentication is required; the npcf-smpolicycontrol route group is mounted without inbound auth middleware in affected versions, making the endpoint reachable anonymously.

  • Victim interactionNot required

    No victim interaction is needed; the attacker sends a single crafted POST request and the panic is triggered server-side without any user action.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: any POST referencing an unknown DNN or other input that causes the downstream UDR lookup to return 404 is sufficient to trigger the nil dereference.

Blast Radius

  • Crashes the PCF request handler for the targeted SM policy creation request, causing Gin to return HTTP 500 to the caller.
  • Disrupts 5G session management policy control for any subscriber whose policy request hits the affected code path during the attack window.
  • Repeated requests can sustain a denial-of-service condition against the policy control plane without terminating the PCF process itself.
  • No confidential data is read and no stored records are modified; impact is limited to availability of the policy control function.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-44316 is active across customer environments scanning images that package free5GC components, including custom-built 5G core images. Because no upstream fix version has been published, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment free5GC ships version 4.2.2 or a later fix release; customers with auto-remediation enabled will receive that rebuild, a regression-test run, and an automated PR against affected workloads with no manual steps required. In the interim, compensating controls available for consideration include isolating the PCF service behind a network policy that restricts POST access to the npcf-smpolicycontrol route to trusted internal callers only, applying egress filtering to limit the PCF's downstream UDR reachability to expected endpoints, and where operationally feasible, gating external access to the SM policy creation endpoint via an API gateway that enforces authentication before the request reaches the PCF process.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • free5gc / free5gc
    < 4.2.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References