{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-44322/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["nef 4.2.1"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","free5GC","NEF","CVE-2026-44322"],"_cs_type":"advisory","_cs_vendors":["free5GC"],"content_html":"\u003cp\u003eA vulnerability exists in free5GC\u0026rsquo;s NEF (Network Exposure Function) component, specifically in the \u003ccode\u003ePATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId}\u003c/code\u003e handler. This vulnerability, present in version 4.2.1, stems from a nil pointer dereference that occurs when the upstream UDR (User Data Repository) call fails and the consumer wrapper returns an error along with a nil \u003ccode\u003e*ProblemDetails\u003c/code\u003e. The handler incorrectly attempts to access the \u003ccode\u003eCause\u003c/code\u003e field of a nil \u003ccode\u003eproblemDetails\u003c/code\u003e object, leading to a panic. While Gin recovery converts this panic into an HTTP 500 error, it effectively results in a denial-of-service condition for a single PATCH request. The issue is triggered when UDR access is failing, for example because the NRF or UDR is unreachable or broken. This vulnerability is reachable without authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a POST request to create an AF context using the \u003ccode\u003e/3gpp-traffic-influence/v1/afnpd3/subscriptions\u003c/code\u003e endpoint, without any Authorization header.\u003c/li\u003e\n\u003cli\u003eThe attacker then sends a POST request to create a PFD-management transaction using the \u003ccode\u003e/3gpp-pfd-management/v1/afnpd3/transactions\u003c/code\u003e endpoint, including PFD data in the request body.\u003c/li\u003e\n\u003cli\u003eThe attacker causes UDR access to fail, simulating this by stopping the NRF (Network Repository Function) service. This leads to NEF\u0026rsquo;s UDR client being unable to discover or dial the UDR.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a PATCH request to \u003ccode\u003e/3gpp-pfd-management/v1/afnpd3/transactions/1/applications/appnpd3\u003c/code\u003e, triggering the vulnerable code path.\u003c/li\u003e\n\u003cli\u003eThe NEF attempts to process the PATCH request but fails to access the UDR due to the NRF outage.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePatchIndividualApplicationPFDManagement\u003c/code\u003e function encounters an error because \u003ccode\u003eproblemDetails\u003c/code\u003e is nil, causing a nil pointer dereference at \u003ccode\u003eNFs/nef/internal/sbi/processor/pfd.go:622\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eGin recovery catches the panic, converting it into an HTTP 500 Internal Server Error.\u003c/li\u003e\n\u003cli\u003eThe attacker receives an HTTP 500 response, indicating the denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability results in a NULL pointer dereference (CWE-476), leading to a denial-of-service condition. Although Gin recovery prevents the NEF process from crashing entirely, a successful attack causes the affected PATCH endpoint to return HTTP 500 errors instead of the intended controlled error response. The attacker does not directly control the prerequisite condition of UDR access failure. The vulnerability affects free5GC version 4.2.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the upstream fix available in the NEF repository (\u003ca href=\"https://github.com/free5gc/nef/pull/22\"\u003ehttps://github.com/free5gc/nef/pull/22\u003c/a\u003e) to resolve the nil pointer dereference.\u003c/li\u003e\n\u003cli\u003eMonitor NEF logs for panic errors originating from \u003ccode\u003eNFs/nef/internal/sbi/processor/pfd.go:622\u003c/code\u003e to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect HTTP 500 errors from the vulnerable endpoint, indicative of the denial-of-service condition.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-09T12:00:00Z","date_published":"2026-05-09T12:00:00Z","id":"/briefs/2026-05-free5gc-nef-panic/","summary":"A nil pointer dereference vulnerability exists in free5GC's NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler when UDR access fails, causing a denial-of-service condition.","title":"free5GC NEF PATCH Handler Vulnerability Leads to Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-05-free5gc-nef-panic/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-44322","version":"https://jsonfeed.org/version/1.1"}