CVE-2026-44323: free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing subsId when UE state exists (nil pointer dereference)
free5GC’s UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks _, ok = UESubsData.EeSubscriptionCollection[subsId] and sets a 404 problem-details on the miss path, but then continues to UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos – dereferencing the same missing entry instead of returning. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable.
This endpoint requires a valid nudr-dr OAuth2 access token (i.e. PR:L, NOT PR:N), so this is scored as an authenticated panic-DoS, not as an unauth-bypass finding.
References
- github.com/advisories/GHSA-4rqf-grm6-vf75
- github.com/free5gc/free5gc
- github.com/free5gc/free5gc/issues/919
- github.com/free5gc/free5gc/security/advisories/GHSA-4rqf-grm6-vf75
- github.com/free5gc/udr/commit/8a1d3c63be99d378806d771f086ff32f1867da99
- github.com/free5gc/udr/pull/60
- nvd.nist.gov/vuln/detail/CVE-2026-44323
Code Behaviors & Features
Detect and mitigate CVE-2026-44323 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →