Skip to main content

Suse CVE-2026-33191

HIGH
Improper Neutralization of Null Byte or NUL Character (CWE-158)
2026-03-18 https://github.com/free5gc/udm GHSA-p9hg-pq3q-v9gv
8.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 18, 2026 - 20:15 vuln.today
Patch released
Mar 18, 2026 - 20:15 nvd
Patch available
CVE Published
Mar 18, 2026 - 20:11 nvd
HIGH 8.6

DescriptionGitHub Advisory

Impact This is an Improper Input Validation vulnerability with Denial of Service and Injection implications.

  • Security Impact: A remote attacker can inject null bytes (URL-encoded as %00) into the supi path parameter of the UDM's Nudm_SubscriberDataManagement API. This causes URL parsing failure in Go's net/url package with the error "invalid control character in URL", resulting in a 500 Internal Server Error. This null byte injection vulnerability can be exploited for denial of service attacks.
  • Functional Impact: When the supi parameter contains null characters, the UDM attempts to construct a URL for UDR that includes these control characters. Go's URL parser rejects them, causing the request to fail with 500 instead of properly validating input and returning 400 Bad Request.
  • Affected Parties: All deployments of free5GC v4.0.1 using the UDM Nudm_SDM service with endpoints that include path parameters (e.g., /nudm-sdm/v2/{supi}/am-data).

Patches Yes, the issue has been patched. The fix is implemented in PR free5gc/udm#79. Users should upgrade to the next release of free5GC that includes this commit.

Workarounds There is no direct workaround at the application level. The recommendation is to apply the provided patch or implement API gateway-level validation to reject requests containing null bytes in path parameters before they reach UDM.

AnalysisAI

Null byte injection in the UDM's Nudm_SubscriberDataManagement API allows unauthenticated remote attackers to crash the service by embedding URL-encoded %00 characters in the supi parameter, triggering unhandled parsing errors and denial of service. The vulnerability stems from improper input validation that permits control characters to reach Go's URL parser, which rejects them with a 500 error instead of sanitizing the input upstream. A patch is available.

Technical ContextAI

This vulnerability affects the User Data Management (UDM) component of free5GC, an open-source 5G core network implementation written in Go (CPE: pkg:go/github.com_free5gc_udm). The root cause is CWE-158 (Improper Neutralization of Null Byte or NUL Character), where the UDM service fails to validate null byte characters in the 'supi' (Subscription Permanent Identifier) path parameter of the Nudm_SubscriberDataManagement API before constructing URLs for communication with the Unified Data Repository (UDR). When null bytes are present, Go's net/url package raises an 'invalid control character in URL' error, causing the request to fail with HTTP 500 rather than rejecting the malformed input with HTTP 400. This represents a failure to sanitize input at the application boundary before passing it to URL parsing routines.

RemediationAI

Organizations should upgrade to the next release of free5GC that includes the fix from pull request https://github.com/free5gc/udm/pull/79. Until patching is feasible, deploy API gateway-level input validation to reject requests containing null bytes (URL-encoded as %00 or raw null characters) in path parameters before they reach the UDM service. Network-level mitigations such as restricting access to the UDM API to trusted network segments and implementing rate limiting can reduce exposure to denial of service attacks. No direct application-level workaround exists according to the vendor advisory at https://github.com/free5gc/free5gc/security/advisories/GHSA-p9hg-pq3q-v9gv, making patching the primary remediation strategy.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33191 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy