CVE-2026-33064: free5GC UDM DataChangeNotification Procedure Panic Due to Nil Pointer Dereference
(updated )
Impact This is a NULL Pointer Dereference vulnerability leading to Denial of Service.
- Security Impact: A remote attacker can cause the UDM service to panic and crash by sending a crafted POST request to the
/sdm-subscriptionsendpoint with a malformed URL path containing path traversal sequences (../) and a large JSON payload. TheDataChangeNotificationProcedurefunction innotifier.goattempts to access a nil pointer without proper validation, causing a complete service crash with “runtime error: invalid memory address or nil pointer dereference”. - Functional Impact: The service crashes completely, requiring manual restart. All UDM functionality is disrupted until recovery.
- Affected Parties: All deployments of free5GC v4.0.1 using the UDM HTTP callback functionality.
Patches Yes, the issue has been patched. The fix is implemented in PR free5gc/udm#78. Users should upgrade to the next release of free5GC that includes this commit.
Workarounds There is no direct workaround at the application level. The recommendation is to apply the provided patch or implement API gateway-level filtering to block requests containing path traversal sequences.
References
- github.com/advisories/GHSA-7g27-v5wj-jr75
- github.com/free5gc/free5gc/issues/781
- github.com/free5gc/free5gc/security/advisories/GHSA-7g27-v5wj-jr75
- github.com/free5gc/udm
- github.com/free5gc/udm/commit/65d7070f4bfd016864cbbaefbd506bbc85d2fa92
- github.com/free5gc/udm/pull/78
- nvd.nist.gov/vuln/detail/CVE-2026-33064
Code Behaviors & Features
Detect and mitigate CVE-2026-33064 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →