Cyber Resilience

CVE-2026-27642

MediumPublic PoC

Published: 24 February 2026

Published
24 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 6.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 10.5th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27642 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Free5Gc Udm. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Software (T1592.002); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-27642 is an improper input validation vulnerability (CWE-20) in the Unified Data Management (UDM) component of free5GC, an open-source project implementing 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 are affected, where remote attackers can inject control characters, such as %00, into the supi parameter of the UDM Nudm_UEAU service. This injection triggers internal URL parsing errors in the net/url package, manifesting as "invalid control character" exceptions.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable over the network with low complexity and no privileges or user interaction required. Attackers can trigger the error to expose system-level error details, facilitating service fingerprinting of free5GC UDM deployments.

free5GC security advisories, including GHSA-h4wg-rp7m-8xx4 and GitHub issue #749, confirm the issue and point to the fix in free5gc/udm pull request 75 and commit a7af2321ddea6368c43835f90f6d1b9d67dd2ea1. No direct application-level workaround is available; security practitioners should apply the official patch to affected deployments.

EU & UK References

Vulnerability details

free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, remote attackers can inject control characters (e.g., %00) into the supi parameter, triggering internal…

more

URL parsing errors (net/url: invalid control character). This exposes system-level error details and can be used for service fingerprinting. All deployments of free5GC using the UDM Nudm_UEAU service may be affected. free5gc/udm pull request 75 contains a fix for the issue. No direct workaround is available at the application level. Applying the official patch is recommended.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1592.002 Software Reconnaissance
Adversaries may gather information about the victim's host software that can be used during targeting.
Why these techniques?

Remote unauthenticated error disclosure via malformed supi input enables remote software/firmware fingerprinting of free5GC UDM instances.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-69250Same product: Free5Gc Udm
CVE-2026-33064Same product: Free5Gc Udm
CVE-2025-69252Same product: Free5Gc Udm
CVE-2026-33191Same product: Free5Gc Udm
CVE-2025-70123Same vendor: Free5Gc
CVE-2025-69232Same vendor: Free5Gc
CVE-2026-42459Same vendor: Free5Gc
CVE-2026-44325Same vendor: Free5Gc
CVE-2026-44319Same vendor: Free5Gc
CVE-2026-42083Same vendor: Free5Gc

Affected Assets

free5gc
udm
≤ 1.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of inputs like the supi parameter to reject control characters and prevent triggering URL parsing errors.

prevent

Restricts error messages from exposing system-level details during invalid control character processing in the UDM service.

prevent

Mandates timely patching of known flaws like this improper input validation vulnerability via the official free5GC fix.

References