How is CVE-2026-44328 exploited?

Network reachability (required): The attacker must reach the SMF's UPI HTTP management interface over the network; no prior foothold on the host is needed. Authentication (not-required): The UPI route group is mounted without OAuth2 middleware, so no credentials or session token are required to issue the malicious DELETE request. Victim interaction (not-required): Exploitation is fully attacker-driven; no user or operator action is needed to trigger the nil-pointer panic. Attack complexity (info): Exploitation is reliable and condition-free: a single correctly formed DELETE request to a known AN node name is sufficient with no timing, race, or memory-layout requirements.

What is the impact of CVE-2026-44328?

Crashes the SMF handler process, taking Session Management Function availability offline and disrupting active 5G session establishment and modification for all connected UEs. Permanently removes the targeted AN node (e.g. gNB1) from the in-memory user-plane topology before the panic fires, silently corrupting the SMF's view of the network graph for the lifetime of the process. An attacker who enumerates multiple AN node names can chain repeated requests to progressively strip the user-plane topology, deepening the outage beyond a simple restart recovery. Integrity of the user-plane link state is compromised (CVSS I:L) because the topology mutation is not rolled back on panic, meaning restarting the SMF does not automatically restore the deleted node entry.

Back to search

HIGHCVE-2026-44328Published 2026-05-27Modified 2026-05-27CNA GitHub_M

CVE-2026-44328: free5GC: SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. On top of that, the DELETE /upi/v1/upNodesLinks/{upNodeRef} handler unconditionally dereferences upNode.UPF after the type-guarded async release, even though AN-typed nodes are constructed without a UPF object. As a result, a single unauthenticated DELETE /upi/v1/upNodesLinks/gNB1 request crashes the handler with a nil-pointer panic AND mutates the in-memory user-plane topology before panicking (the UpNodeDelete(upNodeRef) line runs first). This is an unauthenticated, state-mutating panic-DoS sink that an off-path network attacker can trigger by name against any AN entry. This vulnerability is fixed in 4.2.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A nil-pointer dereference in the free5GC Session Management Function (SMF) allows any unauthenticated network attacker to crash the SMF process with a single HTTP DELETE request. The SMF's UPI route group lacks OAuth2 authentication middleware, and the DELETE /upi/v1/upNodesLinks/{ref} handler dereferences a UPF object that is never populated for AN-typed nodes, triggering a Go nil-pointer panic. Successful exploitation crashes the SMF handler and permanently mutates the in-memory user-plane topology before the panic fires, causing service disruption and unauthorized topology changes. A patched-image rebuild at version 4.2.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-44328 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built free5GC images in CI pipelines and private registries. Any image containing a free5GC SMF binary at a version below 4.2.2 will surface as affected.

Available

Triage

HarborGuard scores this CVE at CVSS 8.2 HIGH and surfaces it accordingly in each customer environment's priority queue. Per-environment compliance policy weighting can further elevate or gate the finding, and routing rules direct the alert to the team or inbox responsible for 5G-core workloads within each customer org.

Available

Patch

A patched-image rebuild at free5GC 4.2.2 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs regression tests against the new image, and opens a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the SMF's UPI HTTP management interface over the network; no prior foothold on the host is needed.
AuthenticationNot required
The UPI route group is mounted without OAuth2 middleware, so no credentials or session token are required to issue the malicious DELETE request.
Victim interactionNot required
Exploitation is fully attacker-driven; no user or operator action is needed to trigger the nil-pointer panic.
Attack complexityDetail
Exploitation is reliable and condition-free: a single correctly formed DELETE request to a known AN node name is sufficient with no timing, race, or memory-layout requirements.

Blast Radius

Crashes the SMF handler process, taking Session Management Function availability offline and disrupting active 5G session establishment and modification for all connected UEs.
Permanently removes the targeted AN node (e.g. gNB1) from the in-memory user-plane topology before the panic fires, silently corrupting the SMF's view of the network graph for the lifetime of the process.
An attacker who enumerates multiple AN node names can chain repeated requests to progressively strip the user-plane topology, deepening the outage beyond a simple restart recovery.
Integrity of the user-plane link state is compromised (CVSS I:L) because the topology mutation is not rolled back on panic, meaning restarting the SMF does not automatically restore the deleted node entry.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-44328 is active across all environments scanning free5GC images, and a patched-image rebuild at version 4.2.2 is available immediately for any environment running an affected SMF image. For customers who opt into auto-remediation, HarborGuard initiates a rebuild at 4.2.2, executes regression tests against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy or network architecture permits, customers who cannot immediately rebuild should consider placing the SMF UPI management port (typically not intended to be internet-facing) behind a network policy that restricts access to trusted operator subnets, reducing the population of hosts able to send unauthenticated DELETE requests to the endpoint.

See how HarborGuard automates this

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

free5gc / free5gc
< 4.2.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

References