CVE-2026-44319: free5GC's NEF crashes via logger.Fatal on PFD notification delivery failure (attacker-controlled notifyUri)
free5GC’s NEF terminates the entire process when a stored PFD-subscription notifyUri cannot be reached. In PfdChangeNotifier.FlushNotifications(), the notifier calls NnefPFDmanagementNotify(...) and on any delivery error invokes logger.PFDManageLog.Fatal(err), which is os.Exit(1)-equivalent in Go. An attacker who can create a PFD subscription with an attacker-chosen notifyUri and then trigger a PFD change can deterministically kill NEF on the asynchronous delivery attempt – the process exits with status 1, dropping NEF’s entire SBI surface until restart. This is materially worse than a per-request panic-DoS (Gin recovery does not catch Fatal).
The trigger uses three POSTs that are reachable without an Authorization header in v4.2.1, because the underlying NEF SBI route groups themselves are mounted without inbound auth middleware (see free5gc/free5gc#858, free5gc/free5gc#859, free5gc/free5gc#862). So in the lab the entire chain is unauthenticated end-to-end. This advisory is scoped to the Fatal-on-delivery-failure code defect; the auth-bypass primitives are tracked separately in the upstream issues above.
References
- github.com/advisories/GHSA-rxrq-fv76-26pr
- github.com/free5gc/free5gc
- github.com/free5gc/free5gc/issues/924
- github.com/free5gc/free5gc/security/advisories/GHSA-rxrq-fv76-26pr
- github.com/free5gc/nef/commit/f110517b1189801950b50668a593398687049074
- github.com/free5gc/nef/pull/25
- nvd.nist.gov/vuln/detail/CVE-2026-44319
Code Behaviors & Features
Detect and mitigate CVE-2026-44319 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →