CVE-2026-44321: free5GC's SMF UPI POST /upi/v1/upNodesLinks exits the SMF process on overlapping UE pools (unauthenticated, reachable Fatalf)
free5GC’s SMF mounts the UPI management route group without inbound OAuth2 middleware (same root cause as free5gc/free5gc#887). The POST /upi/v1/upNodesLinks create-or-update handler accepts attacker-controlled JSON and passes it directly into UpNodesFromConfiguration(), which calls logger.InitLog.Fatalf(...) on several validation failures. One confirmed path is the UE-IP-pool overlap check: a single unauthenticated POST that adds a new UPF whose pool overlaps an existing UPF terminates the entire SMF process (docker ps shows Exited (1)), not just the goroutine. This is a stronger sink than free5gc/free5gc#905: that one panics inside the request goroutine and Gin recovers; this one calls Fatalf which is os.Exit(1)-equivalent and kills the whole SMF process, dropping all of SMF’s SBI surface (PDU-session establishment, UE policy lookups, etc.) until the process is restarted.
References
- github.com/advisories/GHSA-44qj-cghf-9p97
- github.com/free5gc/free5gc
- github.com/free5gc/free5gc/issues/906
- github.com/free5gc/free5gc/security/advisories/GHSA-44qj-cghf-9p97
- github.com/free5gc/smf/commit/e0974e07ddab44a67d36a563cca383b2449e33e5
- github.com/free5gc/smf/pull/203
- nvd.nist.gov/vuln/detail/CVE-2026-44321
Code Behaviors & Features
Detect and mitigate CVE-2026-44321 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →