CVE-2026-27642
Published: 24 February 2026
Summary
CVE-2026-27642 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Free5Gc Udm. Its CVSS base score is 6.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Software (T1592.002); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-27642 is an improper input validation vulnerability (CWE-20) in the Unified Data Management (UDM) component of free5GC, an open-source project implementing 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 are affected, where remote attackers can inject control characters, such as %00, into the supi parameter of the UDM Nudm_UEAU service. This injection triggers internal URL parsing errors in the net/url package, manifesting as "invalid control character" exceptions.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable over the network with low complexity and no privileges or user interaction required. Attackers can trigger the error to expose system-level error details, facilitating service fingerprinting of free5GC UDM deployments.
free5GC security advisories, including GHSA-h4wg-rp7m-8xx4 and GitHub issue #749, confirm the issue and point to the fix in free5gc/udm pull request 75 and commit a7af2321ddea6368c43835f90f6d1b9d67dd2ea1. No direct application-level workaround is available; security practitioners should apply the official patch to affected deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7463
Vulnerability details
free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, remote attackers can inject control characters (e.g., %00) into the supi parameter, triggering internal…
more
URL parsing errors (net/url: invalid control character). This exposes system-level error details and can be used for service fingerprinting. All deployments of free5GC using the UDM Nudm_UEAU service may be affected. free5gc/udm pull request 75 contains a fix for the issue. No direct workaround is available at the application level. Applying the official patch is recommended.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated error disclosure via malformed supi input enables remote software/firmware fingerprinting of free5GC UDM instances.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of inputs like the supi parameter to reject control characters and prevent triggering URL parsing errors.
Restricts error messages from exposing system-level details during invalid control character processing in the UDM service.
Mandates timely patching of known flaws like this improper input validation vulnerability via the official free5GC fix.