Threat Advisory

Free5GC SMF Path Traversal Vulnerability Affects Authorization

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT, Critical Infrastructure
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the free5GC package, specifically in the SMF, NRF, and PCF components, affecting versions less than 1.4.3. These vulnerabilities include unauthenticated remote code execution, missing authentication and authorization, and type-confusion bugs, which can lead to business risks such as unauthorized access, data breaches, and service disruptions.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the free5GC package, specifically in the SMF, NRF, and PCF components, affecting versions less than 1.4.3. These vulnerabilities include unauthenticated remote code execution, missing authentication and authorization, and type-confusion bugs, which can lead to business risks such as unauthorized access, data breaches, and service disruptions.[emaillocker id="1283"]

  • CVE-2026-44329 with a CVSS score of 10.0 – This vulnerability is a missing authentication issue in the SMF UPI management interface, allowing unauthenticated attackers to read, write, and delete UP-node and link topology entries.
  • CVE-2026-44328 with a CVSS score of 8.2 – This vulnerability is a nil-pointer dereference panic in the SMF UPI DELETE handler, which can be triggered by an unauthenticated attacker, causing a denial-of-service condition.
  • CVE-2026-44325 with a CVSS score of 7.5 – This vulnerability is a type-confusion bug in the NRF OAuth2 token parser, which can cause a panic and return an HTTP 500 error when an attacker sends a specially crafted form-encoded request.
  • CVE-2026-44330 with a CVSS score of 9.9 – This vulnerability is a remote code execution issue in the PCF component, allowing authenticated attackers to execute arbitrary code.
  • CVE-2026-44331 with a CVSS score of 8.8 – This vulnerability is a missing authorization issue in the NRF component, allowing authenticated attackers to access sensitive data.
  • CVE-2026-44332 with a CVSS score of 7.3 – This vulnerability is a type-confusion bug in the SMF component, which can cause a panic and return an HTTP 500 error when an attacker sends a specially crafted request.

The overall risk and urgency of these vulnerabilities are high, as they can be exploited by unauthenticated attackers to disrupt services, gain unauthorized access, or steal sensitive data. If exploited, these vulnerabilities can have severe business consequences, including reputational damage, financial losses, and legal liabilities.

RECOMMENDATION:

  • We recommend you to update free5gc/smf to version 1.4.3.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-3258-qmv8-frp3
https://github.com/advisories/GHSA-p9mg-74mg-cwwr
https://github.com/advisories/GHSA-f8qv-7x5w-qr48
https://github.com/advisories/GHSA-j59f-x285-69jx
https://github.com/advisories/GHSA-rxrq-fv76-26pr
https://github.com/advisories/GHSA-wr8j-6chw-gm6p

[/emaillocker]
crossmenu