CVE-2026-27642
Published: 24 February 2026
Summary
CVE-2026-27642 is a high-severity Improper Input Validation (CWE-20) vulnerability in Free5Gc Udm. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Software (T1592.002); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated error disclosure via malformed supi input enables remote software/firmware fingerprinting of free5GC UDM instances.
NVD Description
free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, remote attackers can inject control characters (e.g., %00) into the supi parameter, triggering internal…
more
URL parsing errors (net/url: invalid control character). This exposes system-level error details and can be used for service fingerprinting. All deployments of free5GC using the UDM Nudm_UEAU service may be affected. free5gc/udm pull request 75 contains a fix for the issue. No direct workaround is available at the application level. Applying the official patch is recommended.
Deeper analysisAI
CVE-2026-27642 is an improper input validation vulnerability (CWE-20) in the Unified Data Management (UDM) component of free5GC, an open-source project implementing 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 are affected, where remote attackers can inject control characters, such as %00, into the supi parameter of the UDM Nudm_UEAU service. This injection triggers internal URL parsing errors in the net/url package, manifesting as "invalid control character" exceptions.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable over the network with low complexity and no privileges or user interaction required. Attackers can trigger the error to expose system-level error details, facilitating service fingerprinting of free5GC UDM deployments.
free5GC security advisories, including GHSA-h4wg-rp7m-8xx4 and GitHub issue #749, confirm the issue and point to the fix in free5gc/udm pull request 75 and commit a7af2321ddea6368c43835f90f6d1b9d67dd2ea1. No direct application-level workaround is available; security practitioners should apply the official patch to affected deployments.
Details
- CWE(s)