{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33064", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T19:27:06.343Z", "datePublished": "2026-03-20T08:00:31.755Z", "dateUpdated": "2026-03-20T15:42:53.709Z"}, "containers": {"cna": {"title": "free5GC UDM DataChangeNotification Procedure Panic Due to Nil Pointer Dereference", "problemTypes": [{"descriptions": [{"cweId": "CWE-478", "lang": "en", "description": "CWE-478: Missing Default Case in Multiple Condition Expression", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-7g27-v5wj-jr75", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-7g27-v5wj-jr75"}, {"name": "https://github.com/free5gc/free5gc/issues/781", "tags": ["x_refsource_MISC"], "url": "https://github.com/free5gc/free5gc/issues/781"}, {"name": "https://github.com/free5gc/udm/pull/78", "tags": ["x_refsource_MISC"], "url": "https://github.com/free5gc/udm/pull/78"}, {"name": "https://github.com/free5gc/udm/commit/65d7070f4bfd016864cbbaefbd506bbc85d2fa92", "tags": ["x_refsource_MISC"], "url": "https://github.com/free5gc/udm/commit/65d7070f4bfd016864cbbaefbd506bbc85d2fa92"}], "affected": [{"vendor": "free5gc", "product": "free5gc", "versions": [{"version": "< 1.4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:00:31.755Z"}, "descriptions": [{"lang": "en", "value": "Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to procedure panic caused by Nil Pointer Dereference in the /sdm-subscriptions endpoint. A remote attacker can cause the UDM service to panic and crash by sending a crafted POST request to the /sdm-subscriptions endpoint with a malformed URL path containing path traversal sequences (../) and a large JSON payload. The DataChangeNotificationProcedure function in notifier.go attempts to access a nil pointer without proper validation, causing a complete service crash with \"runtime error: invalid memory address or nil pointer dereference\". Exploitation would result in UDM functionality disruption until recovery by restart. This issue has been fixed in version 1.4.2."}], "source": {"advisory": "GHSA-7g27-v5wj-jr75", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T15:42:37.002784Z", "id": "CVE-2026-33064", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:42:53.709Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33064", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T15:42:37.002784Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:42:44.180Z"}}], "cna": {"title": "free5GC UDM DataChangeNotification Procedure Panic Due to Nil Pointer Dereference", "source": {"advisory": "GHSA-7g27-v5wj-jr75", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "free5gc", "product": "free5gc", "versions": [{"status": "affected", "version": "< 1.4.2"}]}], "references": [{"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-7g27-v5wj-jr75", "name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-7g27-v5wj-jr75", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/free5gc/free5gc/issues/781", "name": "https://github.com/free5gc/free5gc/issues/781", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/free5gc/udm/pull/78", "name": "https://github.com/free5gc/udm/pull/78", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/free5gc/udm/commit/65d7070f4bfd016864cbbaefbd506bbc85d2fa92", "name": "https://github.com/free5gc/udm/commit/65d7070f4bfd016864cbbaefbd506bbc85d2fa92", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to procedure panic caused by Nil Pointer Dereference in the /sdm-subscriptions endpoint. A remote attacker can cause the UDM service to panic and crash by sending a crafted POST request to the /sdm-subscriptions endpoint with a malformed URL path containing path traversal sequences (../) and a large JSON payload. The DataChangeNotificationProcedure function in notifier.go attempts to access a nil pointer without proper validation, causing a complete service crash with \"runtime error: invalid memory address or nil pointer dereference\". Exploitation would result in UDM functionality disruption until recovery by restart. This issue has been fixed in version 1.4.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-478", "description": "CWE-478: Missing Default Case in Multiple Condition Expression"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:00:31.755Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33064", "state": "PUBLISHED", "dateUpdated": "2026-03-20T15:42:53.709Z", "dateReserved": "2026-03-17T19:27:06.343Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T08:00:31.755Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:free5gc:udm:*:*:*:*:*:go:*:*", "matchCriteriaId": "C4C4212B-95F4-49DD-B6DA-F6DF4D8D7257", "versionEndExcluding": "1.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to procedure panic caused by Nil Pointer Dereference in the /sdm-subscriptions endpoint. A remote attacker can cause the UDM service to panic and crash by sending a crafted POST request to the /sdm-subscriptions endpoint with a malformed URL path containing path traversal sequences (../) and a large JSON payload. The DataChangeNotificationProcedure function in notifier.go attempts to access a nil pointer without proper validation, causing a complete service crash with \"runtime error: invalid memory address or nil pointer dereference\". Exploitation would result in UDM functionality disruption until recovery by restart. This issue has been fixed in version 1.4.2."}, {"lang": "es", "value": "Free5GC es un proyecto de c\u00f3digo abierto de la Linux Foundation para redes centrales m\u00f3viles de quinta generaci\u00f3n (5G). Las versiones anteriores a la 1.4.2 son vulnerables a un p\u00e1nico de procedimiento causado por una desreferenciaci\u00f3n de puntero nulo (Nil Pointer Dereference) en el endpoint /sdm-subscriptions. Un atacante remoto puede causar que el servicio UDM entre en p\u00e1nico y falle enviando una solicitud POST manipulada al endpoint /sdm-subscriptions con una ruta URL malformada que contenga secuencias de salto de ruta (../) y una carga \u00fatil JSON grande. La funci\u00f3n DataChangeNotificationProcedure en notifier.go intenta acceder a un puntero nulo sin la validaci\u00f3n adecuada, lo que provoca un fallo completo del servicio con el error 'runtime error: invalid memory address or nil pointer dereference'. La explotaci\u00f3n resultar\u00eda en la interrupci\u00f3n de la funcionalidad del UDM hasta su recuperaci\u00f3n mediante un reinicio. Este problema ha sido solucionado en la versi\u00f3n 1.4.2."}], "id": "CVE-2026-33064", "lastModified": "2026-03-23T18:43:25.237", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T08:16:12.257", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://github.com/free5gc/free5gc/issues/781"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-7g27-v5wj-jr75"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/free5gc/udm/commit/65d7070f4bfd016864cbbaefbd506bbc85d2fa92"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/free5gc/udm/pull/78"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-478"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "free5gc", "source": "cna", "vendor": "free5gc"}, "product": "free5gc", "vendor": "free5gc"}], "analysis": {"en": {"generated_at": "2026-03-23T19:51:37.450697+00:00", "value": {"mitigation_remediation": ["Upgrade free5GC to version 1.4.2 or later to eliminate the crash condition.", "If a patch cannot be applied immediately, restrict external access to the /sdm-subscriptions endpoint using network controls such as firewalls or ACLs.", "Monitor inbound traffic for malformed POST requests targeting the /sdm-subscriptions path and log any suspicious activity.", "Verify that the UDM service runs correctly after applying the patch and restart the service if required to clear any lingering state."], "summary": {"action": "Patch immediately", "impact": "Remote Denial of Service"}, "threat_synthesis": {"affected_systems": "All releases of free5GC UDM prior to version 1.4.2 are vulnerable; users running those versions are at risk until the patched release is deployed; the affected product is the UDM component in the free5GC open\u2011source 5G core network stack.", "description_and_impact": "A nil pointer dereference in the DataChangeNotificationProcedure function of the free5GC UDM causes a runtime panic when processing a POST request to the /sdm-subscriptions endpoint; the flaw enables an attacker to force a complete service crash by sending a crafted request that includes path traversal sequences and a large JSON payload, resulting in a denial of service for 5G core network operations and requiring a service restart for recovery; the weakness is identified as CWE\u2011476 and CWE\u2011478.", "risk_and_exploitability": "The CVSS base score of 8.7 indicates high severity, while the EPSS score of less than 1% suggests a low current probability of exploitation; the vulnerability is not listed in the CISA KEV catalog; based on the description, it is inferred that no authentication is required to send the crafted POST request to the /sdm-subscriptions endpoint, implying a low barrier to entry for remote attackers; successful exploitation would trigger a crash that persists until the service is manually restarted."}}}}, "created": "2026-03-20T10:36:49.633013+00:00", "updated": "2026-03-25T14:30:06.460013+00:00", "vendors": ["free5gc", "free5gc$PRODUCT$free5gc"]}