Suse
CVE-2026-33191
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact This is an Improper Input Validation vulnerability with Denial of Service and Injection implications.
- Security Impact: A remote attacker can inject null bytes (URL-encoded as
%00) into thesupipath parameter of the UDM's Nudm_SubscriberDataManagement API. This causes URL parsing failure in Go'snet/urlpackage with the error "invalid control character in URL", resulting in a 500 Internal Server Error. This null byte injection vulnerability can be exploited for denial of service attacks. - Functional Impact: When the
supiparameter contains null characters, the UDM attempts to construct a URL for UDR that includes these control characters. Go's URL parser rejects them, causing the request to fail with 500 instead of properly validating input and returning 400 Bad Request. - Affected Parties: All deployments of free5GC v4.0.1 using the UDM Nudm_SDM service with endpoints that include path parameters (e.g.,
/nudm-sdm/v2/{supi}/am-data).
Patches Yes, the issue has been patched. The fix is implemented in PR free5gc/udm#79. Users should upgrade to the next release of free5GC that includes this commit.
Workarounds There is no direct workaround at the application level. The recommendation is to apply the provided patch or implement API gateway-level validation to reject requests containing null bytes in path parameters before they reach UDM.
AnalysisAI
Null byte injection in the UDM's Nudm_SubscriberDataManagement API allows unauthenticated remote attackers to crash the service by embedding URL-encoded %00 characters in the supi parameter, triggering unhandled parsing errors and denial of service. The vulnerability stems from improper input validation that permits control characters to reach Go's URL parser, which rejects them with a 500 error instead of sanitizing the input upstream. A patch is available.
Technical ContextAI
This vulnerability affects the User Data Management (UDM) component of free5GC, an open-source 5G core network implementation written in Go (CPE: pkg:go/github.com_free5gc_udm). The root cause is CWE-158 (Improper Neutralization of Null Byte or NUL Character), where the UDM service fails to validate null byte characters in the 'supi' (Subscription Permanent Identifier) path parameter of the Nudm_SubscriberDataManagement API before constructing URLs for communication with the Unified Data Repository (UDR). When null bytes are present, Go's net/url package raises an 'invalid control character in URL' error, causing the request to fail with HTTP 500 rather than rejecting the malformed input with HTTP 400. This represents a failure to sanitize input at the application boundary before passing it to URL parsing routines.
RemediationAI
Organizations should upgrade to the next release of free5GC that includes the fix from pull request https://github.com/free5gc/udm/pull/79. Until patching is feasible, deploy API gateway-level input validation to reject requests containing null bytes (URL-encoded as %00 or raw null characters) in path parameters before they reach the UDM service. Network-level mitigations such as restricting access to the UDM API to trusted network segments and implementing rate limiting can reduce exposure to denial of service attacks. No direct application-level workaround exists according to the vendor advisory at https://github.com/free5gc/free5gc/security/advisories/GHSA-p9hg-pq3q-v9gv, making patching the primary remediation strategy.
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-p9hg-pq3q-v9gv