HarborGuard / CVE
Back to search
HIGHCVE-2026-44319Published Modified CNA GitHub_M

CVE-2026-44319: free5GC: NEF crashes via logger.Fatal on PFD notification delivery failure (attacker-controlled notifyUri)

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF terminates the entire process when a stored PFD-subscription notifyUri cannot be reached. In PfdChangeNotifier.FlushNotifications(), the notifier calls NnefPFDmanagementNotify(...) and on any delivery error invokes logger.PFDManageLog.Fatal(err), which is os.Exit(1)-equivalent in Go. An attacker who can create a PFD subscription with an attacker-chosen notifyUri and then trigger a PFD change can deterministically kill NEF on the asynchronous delivery attempt -- the process exits with status 1, dropping NEF's entire SBI surface until restart. This vulnerability is fixed in 4.2.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a process-termination vulnerability in the Network Exposure Function (NEF) component of free5GC, an open-source 5G core network implementation. The flaw is reachable over the network without any authentication: an attacker creates a PFD subscription with an attacker-chosen callback URL (notifyUri), then triggers a PFD change event, causing the NEF process to call logger.Fatal on delivery failure, which is equivalent to os.Exit(1) in Go and immediately kills the process. Successful exploitation crashes the NEF entirely, dropping all its Service-Based Interface (SBI) traffic until the process is manually restarted. A fix was introduced in free5GC 4.2.2; patched-image rebuilds at that version are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-44319 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built free5GC images, in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 (High) and applying per-environment compliance policy weighting to prioritize it appropriately; triage results are routed to the relevant team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because the upstream fix is published at free5GC 4.2.2, a patched-image rebuild at that version is available on HarborGuard for any environment found to be running an affected release. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the NEF's SBI endpoint over the network to create a PFD subscription with a crafted notifyUri.

  • AuthenticationNot required

    No credentials are required; the CVSS vector specifies PR:N, meaning the subscription creation endpoint can be abused without any account.

  • Victim interactionNot required

    No human interaction is needed; the attacker controls both the subscription creation and the PFD change trigger, making the crash fully self-contained.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond the ability to register a PFD subscription.

Blast Radius

  • The NEF process exits immediately with status 1, taking down the entire SBI surface the NEF exposes to other 5G core functions.
  • All in-flight and queued SBI requests to the NEF are dropped at the moment of the crash, disrupting any function relying on network exposure services.
  • The outage persists until an operator or orchestration layer detects the process death and restarts the NEF, creating a window of complete unavailability.
  • No confidentiality or integrity impact is associated with this vulnerability; the attacker gains only the ability to force this denial of service.

How HarborGuard Handles This

Available on HarborGuard: detection is active for any image manifest that includes free5GC components prior to version 4.2.2, matched against the published fix boundary. A patched-image rebuild at free5GC 4.2.2 is available for affected environments; for customers who opt into auto-remediation, HarborGuard triggers the rebuild, executes a regression run, and opens a PR against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the advisory appears in the triage queue with CVSS 7.5 High severity and ownership routing so the responsible team can act manually. Until a patched image is deployed, compensating controls worth considering include network-policy rules that restrict which sources may call the NEF subscription endpoint, egress filtering to limit which notifyUri destinations the NEF process can actually reach on delivery attempts, and alerting on unexpected NEF process exits via container restart-count monitoring.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • free5gc / free5gc
    < 4.2.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References