{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-44321/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SMF"],"_cs_severities":["medium"],"_cs_tags":["free5GC","SMF","DoS","unauthenticated","UPI","CVE-2026-44321"],"_cs_type":"threat","_cs_vendors":["free5GC"],"content_html":"\u003cp\u003eThe free5GC Session Management Function (SMF) is susceptible to a denial-of-service attack due to missing authentication on the \u003ccode\u003eUPI\u003c/code\u003e management route group. Specifically, the \u003ccode\u003ePOST /upi/v1/upNodesLinks\u003c/code\u003e endpoint lacks proper inbound OAuth2 middleware, allowing unauthenticated requests. An attacker can send a crafted JSON payload to this endpoint, which is then processed by \u003ccode\u003eUpNodesFromConfiguration()\u003c/code\u003e. Certain validation failures, such as overlapping UE-IP-pools, trigger a \u003ccode\u003elogger.InitLog.Fatalf(...)\u003c/code\u003e call, which terminates the entire SMF process. This is more severe than a simple panic, as \u003ccode\u003eFatalf\u003c/code\u003e is equivalent to \u003ccode\u003eos.Exit(1)\u003c/code\u003e and halts the entire SMF process, impacting PDU-session establishment and UE policy lookups. The vulnerability affects free5GC version 4.2.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies the vulnerable \u003ccode\u003ePOST /upi/v1/upNodesLinks\u003c/code\u003e endpoint on the SMF SBI (Service Based Interface), typically running on port 8000.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JSON payload containing UPF (User Plane Function) configuration data.\u003c/li\u003e\n\u003cli\u003eThe crafted JSON includes a UE-IP-pool that overlaps with an existing UPF\u0026rsquo;s pool (e.g., \u003ccode\u003e10.60.0.0/16\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated POST request to the \u003ccode\u003e/upi/v1/upNodesLinks\u003c/code\u003e endpoint with the malicious JSON payload.\u003c/li\u003e\n\u003cli\u003eThe SMF processes the request and passes the JSON data to the \u003ccode\u003eUpNodesFromConfiguration()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eUpNodesFromConfiguration()\u003c/code\u003e function calls \u003ccode\u003eisOverlap(allUEIPPools)\u003c/code\u003e to validate the UE-IP-pools.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eisOverlap\u003c/code\u003e function detects the overlapping CIDR value between the attacker-provided UPF and the existing UPF configuration.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eisOverlap\u003c/code\u003e function triggers a \u003ccode\u003elogger.InitLog.Fatalf(\u0026quot;overlap cidr value between UPFs\u0026quot;)\u003c/code\u003e call, which terminates the entire SMF process due to the equivalent of \u003ccode\u003eos.Exit(1)\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows an unauthenticated attacker to cause a complete denial-of-service on the free5GC SMF. The attacker only needs network access to the SMF SBI and can repeatedly send the malicious POST request to keep the SMF process terminated after each restart. This impacts all SMF services, including PDU-session establishment and UE policy interactions, leading to network connectivity disruptions. This vulnerability affects free5GC v4.2.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the official patch from the upstream fix at \u003ca href=\"https://github.com/free5gc/smf/pull/203\"\u003ehttps://github.com/free5gc/smf/pull/203\u003c/a\u003e to mitigate CVE-2026-44321.\u003c/li\u003e\n\u003cli\u003eImplement network access controls to restrict access to the SMF SBI from untrusted networks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Free5GC SMF UPI POST UPF Configuration\u003c/code\u003e to detect suspicious POST requests to the \u003ccode\u003e/upi/v1/upNodesLinks\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor SMF container logs for the \u003ccode\u003eFATA\u003c/code\u003e message \u003ccode\u003eoverlap cidr value between UPFs\u003c/code\u003e indicating a process termination.\u003c/li\u003e\n\u003cli\u003eConsider using the \u003ccode\u003ewebserver\u003c/code\u003e Sigma rules in this brief to detect unauthorized requests to the \u003ccode\u003e/upi/v1/upNodesLinks\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T22:47:24Z","date_published":"2026-05-08T22:47:24Z","id":"/briefs/2024-01-free5gc-smf-dos/","summary":"free5GC's SMF is vulnerable to an unauthenticated denial-of-service attack where a crafted POST request to the `/upi/v1/upNodesLinks` endpoint can trigger a `Fatalf` call, terminating the entire SMF process, effectively disrupting network services.","title":"free5GC SMF Unauthenticated Process-Kill Denial-of-Service via UPI Endpoint","url":"https://feed.craftedsignal.io/briefs/2024-01-free5gc-smf-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-44321","version":"https://jsonfeed.org/version/1.1"}