安全情报

CVE-2026-44323 - free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing subsId when UE

AiRedTeam

09 May 2026 • 阅读时间 1 分钟

📡 GitHub-Advisory · 2026-05-08

CVE-2026-44323 - free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing subsId when UE

CVE-2026-44323

GHSA-4rqf-grm6-vf75 MEDIUM go/github.com/free5gc/udr

CVE: CVE-2026-44323

Summary

free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks _, ok = UESubsData.EeSubscriptionCollection[subsId] and sets a 404 problem-details on the miss path, but then continues to UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos -- dereferencing the same missing entry instead of returning. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable.

This endpoint requires a valid nudr-dr OAuth2 access token (i.e. PR:L, NOT PR:N), so this is scored as an authenticated panic-DoS, not as an unauth-bypass finding.

Details

Validated against the UDR container in the official Docker compose lab.

Source repo tag: v4.2.1
Running Docker image: free5gc/udr:v4.2.1
Runtime UDR commit: 754d23b0
Docker validation date: 2026-03-22
UDR endpoint: http://10.100.200.11:8000

Precondition (one authenticated EE-subscription create allocates UE state):

if !ok {
    udrSelf.UESubsCollection.Store(ueId, new(udr_context.UESubsData))
    value, _ = udrSelf.UESubsCollection.Load(ueId)
}
...
UESubsData.EeSubscriptionCollection[newSubscriptionID] = new(udr_context.EeSubscriptionCollection)

Vulnerable handler (delete on amf-subscriptions): the ok miss path sets pd but does not return, so the very next line dereferences the nil entry:

_, ok = UESubsData.EeSubscriptionCollection[subsId]
if !ok {
    pd = util.ProblemDetailsNotFound("SUBSCRIPTION_NOT_FOUND")
}

if UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos == nil {
    pd = util.ProblemDetailsNotFound("AMFSUBSCRIPTION_NOT_FOUND")
}

When subsId is absent, UESubsData.EeSubscriptionCollection[subsId] is nil, and .AmfSubscriptionInfos panics with `runtime error: invalid memory addr

📌 来源: GitHub-Advisory | 🆔 CVE-2026-44323 | 📅 2026-05-08