How is CVE-2026-44322 exploited?

Network reachability (required): The vulnerable PATCH endpoint is exposed over the network, so the attacker must be able to send HTTP requests to the NEF API surface. Authentication (not-required): The CVSS vector specifies PR:N, meaning no account or credential is needed to trigger the panic. Victim interaction (not-required): The CVSS vector specifies UI:N, so exploitation is fully attacker-driven and requires no action from any user or operator. Attack complexity (info): The CVSS vector specifies AC:L, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond reaching the endpoint while UDR access is failing.

What is the impact of CVE-2026-44322?

Crashes the NEF request handler for the targeted PATCH endpoint, returning HTTP 500 to all callers for the duration of the UDR outage window. Disrupts 5G core PFD management operations, preventing application function clients from updating packet flow descriptions via the NEF API. Repeated triggering of the panic can sustain a denial-of-service condition against the NEF component as long as the attacker can send PATCH requests to the endpoint.

Back to search

HIGHCVE-2026-44322Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-44322: free5GC: NEF 3gpp-pfd-management PATCH applications/{appId} panics on UDR access failure due to nil ProblemDetails dereference

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil *ProblemDetails. The handler's errPfdData != nil branch builds its own problemDetailsErr correctly, but immediately after it reads problemDetails.Cause (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into HTTP 500, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing. This vulnerability is fixed in 4.2.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A nil-pointer dereference in the free5GC Network Exposure Function (NEF) causes the process to panic when a specific PATCH endpoint encounters a upstream UDR access failure. The flaw is reachable over the network without any authentication, making it trivially triggerable by any attacker who can send HTTP requests to the NEF API. Successful exploitation crashes the request handler and forces an HTTP 500 response, disrupting service for legitimate users. A patched-image rebuild at version 4.2.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built free5GC images, in registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and is capable of weighting that score against each customer environment's compliance policy to prioritize routing and surface the finding to the appropriate team inbox within each organization.

Available

Patch

Because the upstream fix is published at free5GC 4.2.2, a patched-image rebuild at that version is available on HarborGuard for environments running an affected release. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test pass, and open a PR against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable PATCH endpoint is exposed over the network, so the attacker must be able to send HTTP requests to the NEF API surface.
AuthenticationNot required
The CVSS vector specifies PR:N, meaning no account or credential is needed to trigger the panic.
Victim interactionNot required
The CVSS vector specifies UI:N, so exploitation is fully attacker-driven and requires no action from any user or operator.
Attack complexityDetail
The CVSS vector specifies AC:L, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond reaching the endpoint while UDR access is failing.

Blast Radius

Crashes the NEF request handler for the targeted PATCH endpoint, returning HTTP 500 to all callers for the duration of the UDR outage window.
Disrupts 5G core PFD management operations, preventing application function clients from updating packet flow descriptions via the NEF API.
Repeated triggering of the panic can sustain a denial-of-service condition against the NEF component as long as the attacker can send PATCH requests to the endpoint.

How HarborGuard Handles This

Available on HarborGuard: detection is active for any image derived from free5GC prior to version 4.2.2, with the finding surfaced in registry scans and pipeline gates within minutes of CVE publication. Because the upstream project has published a fix in 4.2.2, a patched-image rebuild at that version is available for environments running an affected image. For customers with auto-remediation enabled, HarborGuard can execute a rebuild at 4.2.2, run a regression test pass, and open a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where auto-remediation is not permitted by compliance policy, the finding is routed to the designated team inbox with CVSS 7.5 HIGH severity context so engineers can plan a manual image upgrade to 4.2.2.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

free5gc / free5gc
< 4.2.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References