Suse
CVE-2026-33064
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact This is a NULL Pointer Dereference vulnerability leading to Denial of Service.
- Security Impact: A remote attacker can cause the UDM service to panic and crash by sending a crafted POST request to the
/sdm-subscriptionsendpoint with a malformed URL path containing path traversal sequences (../) and a large JSON payload. TheDataChangeNotificationProcedurefunction innotifier.goattempts to access a nil pointer without proper validation, causing a complete service crash with "runtime error: invalid memory address or nil pointer dereference". - Functional Impact: The service crashes completely, requiring manual restart. All UDM functionality is disrupted until recovery.
- Affected Parties: All deployments of free5GC v4.0.1 using the UDM HTTP callback functionality.
Patches Yes, the issue has been patched. The fix is implemented in PR free5gc/udm#78. Users should upgrade to the next release of free5GC that includes this commit.
Workarounds There is no direct workaround at the application level. The recommendation is to apply the provided patch or implement API gateway-level filtering to block requests containing path traversal sequences.
AnalysisAI
A NULL pointer dereference vulnerability in free5GC v4.0.1's UDM (Unified Data Management) service allows remote attackers to crash the service via a crafted POST request to the /sdm-subscriptions endpoint containing path traversal sequences and a large JSON payload. The DataChangeNotificationProcedure function in notifier.go fails to validate pointers before dereferencing, causing complete service disruption requiring manual restart. All deployments of free5GC v4.0.1 utilizing UDM HTTP callback functionality are affected, and a patch is available via PR free5gc/udm#78.
Technical ContextAI
This vulnerability affects the UDM (Unified Data Management) component of free5GC, an open-source 5G core network implementation written in Go (pkg:go/github.com_free5gc_udm). The UDM service handles subscriber data management and registration procedures in 5G networks. The vulnerability is classified as CWE-476 (NULL Pointer Dereference), occurring in the DataChangeNotificationProcedure function within notifier.go when processing HTTP callback subscriptions. When the service receives a malformed request with path traversal sequences (../) to the /sdm-subscriptions endpoint, it attempts to dereference a nil pointer without prior validation, triggering a runtime panic with 'invalid memory address or nil pointer dereference'. This represents a critical flaw in input validation and error handling within the Go-based HTTP request processing logic.
RemediationAI
Upgrade to the next release of free5GC that includes the fix from PR https://github.com/free5gc/udm/pull/78 (commit 65d7070f4bfd016864cbbaefbd506bbc85d2fa92). Organizations unable to immediately upgrade should implement API gateway-level filtering to block HTTP requests containing path traversal sequences (../) directed at the /sdm-subscriptions endpoint. Additional hardening measures include restricting network access to the UDM service to trusted 5G core network components only, implementing rate limiting on the subscription endpoints, and deploying monitoring to detect repeated crash-and-restart patterns indicative of exploitation attempts. Review the vendor security advisory at https://github.com/free5gc/free5gc/security/advisories/GHSA-7g27-v5wj-jr75 for complete guidance.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-7g27-v5wj-jr75