How is CVE-2026-44321 exploited?

Network reachability (required): The SMF UPI endpoint is exposed over the network, so an attacker must be able to reach the service via HTTP to send the malicious POST request. Authentication (not-required): The UPI route group is mounted without OAuth2 middleware, so no credentials or session token of any kind are needed to trigger the vulnerability. Victim interaction (not-required): The exploit is fully one-sided; the attacker sends a single POST request and no action from any user or operator is required. Attack complexity (info): The exploit is reliable and condition-free; crafting an overlapping UE-IP-pool payload requires no race condition, memory layout knowledge, or other environmental setup.

What is the impact of CVE-2026-44321?

Crashes the entire SMF process (exit code 1), not just the handling goroutine, immediately halting all session management for the 5G core. Disrupts all active UE (user equipment) sessions whose state is managed by the SMF, as the process termination is abrupt with no graceful teardown. Blocks establishment of all new PDU sessions until the SMF process is restarted, effectively severing data-plane connectivity for users attached to the core. The attack is repeatable on restart, meaning an attacker with continuous network access can sustain the denial of service across recovery attempts.

Back to search

HIGHCVE-2026-44321Published 2026-05-27Modified 2026-05-27CNA GitHub_M

CVE-2026-44321: free5GC: SMF UPI POST /upi/v1/upNodesLinks exits the SMF process on overlapping UE pools (unauthenticated, reachable Fatalf)

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. The POST /upi/v1/upNodesLinks create-or-update handler accepts attacker-controlled JSON and passes it directly into UpNodesFromConfiguration(), which calls logger.InitLog.Fatalf(...) on several validation failures. One confirmed path is the UE-IP-pool overlap check: a single unauthenticated POST that adds a new UPF whose pool overlaps an existing UPF terminates the entire SMF process (docker ps shows Exited (1)), not just the goroutine. This vulnerability is fixed in 4.2.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an unauthenticated denial-of-service vulnerability in free5GC, an open-source 5G core network implementation. The SMF (Session Management Function) component exposes a UPI management route without OAuth2 authentication, allowing any network-reachable attacker to send a crafted POST request that triggers a fatal log call, terminating the entire SMF process rather than just the failing request handler. Successful exploitation crashes the SMF process completely, disrupting all active and new session management for the 5G core. A patched-image rebuild at version 4.2.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images incorporating free5gc/free5gc, triggering a finding wherever an affected version is present in a registry or build pipeline.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and weights it against each customer environment's compliance policy before routing the finding to the appropriate team inbox within the customer organization.

Available

Patch

Because a fix exists at version 4.2.2, a patched-image rebuild is available on HarborGuard for any environment running an affected version of free5gc. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at 4.2.2, runs a regression test suite against the rebuilt image, and opens a pull request against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The SMF UPI endpoint is exposed over the network, so an attacker must be able to reach the service via HTTP to send the malicious POST request.
AuthenticationNot required
The UPI route group is mounted without OAuth2 middleware, so no credentials or session token of any kind are needed to trigger the vulnerability.
Victim interactionNot required
The exploit is fully one-sided; the attacker sends a single POST request and no action from any user or operator is required.
Attack complexityDetail
The exploit is reliable and condition-free; crafting an overlapping UE-IP-pool payload requires no race condition, memory layout knowledge, or other environmental setup.

Blast Radius

Crashes the entire SMF process (exit code 1), not just the handling goroutine, immediately halting all session management for the 5G core.
Disrupts all active UE (user equipment) sessions whose state is managed by the SMF, as the process termination is abrupt with no graceful teardown.
Blocks establishment of all new PDU sessions until the SMF process is restarted, effectively severing data-plane connectivity for users attached to the core.
The attack is repeatable on restart, meaning an attacker with continuous network access can sustain the denial of service across recovery attempts.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-44321 is active for all customer environments and matches against any image layer containing free5gc/free5gc prior to 4.2.2, including privately built images that vendor or embed the package. A patched-image rebuild at version 4.2.2 is available the moment a customer image is flagged as affected. For customers who opt into auto-remediation, HarborGuard initiates the rebuild, executes a regression run against the new image, and opens a pull request against the affected workload manifest; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who manage remediation manually will see the finding in their queue with CVSS context and a direct reference to the 4.2.2 fix. Where compliance policy restricts auto-remediation, network-policy isolation of the SMF UPI port (typically TCP 8805 or the operator-configured management port) is a viable compensating control to limit exposure until the patched image is promoted.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

free5gc / free5gc
< 4.2.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References