CVE-2026-33064
Published: 20 March 2026
Summary
CVE-2026-33064 is a high-severity Missing Default Case in Multiple Condition Expression (CWE-478) vulnerability in Free5Gc Udm. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely application of the vendor patch (Free5GC 1.4.2) that adds nil pointer validation in the affected notifier.go function.
Enforces validation of inputs to the /sdm-subscriptions endpoint, blocking malformed URL paths with traversal sequences (../) and oversized JSON payloads that trigger the nil pointer dereference.
Requires secure error handling in the DataChangeNotificationProcedure to gracefully manage nil pointers without causing runtime panic and service crash.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing UDM service via crafted request triggers nil pointer dereference crash, directly enabling T1190 (Exploit Public-Facing Application) and T1499.004 (Application or System Exploitation) for DoS impact.
NVD Description
Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to procedure panic caused by Nil Pointer Dereference in the /sdm-subscriptions endpoint. A remote attacker can cause the UDM service…
more
to panic and crash by sending a crafted POST request to the /sdm-subscriptions endpoint with a malformed URL path containing path traversal sequences (../) and a large JSON payload. The DataChangeNotificationProcedure function in notifier.go attempts to access a nil pointer without proper validation, causing a complete service crash with "runtime error: invalid memory address or nil pointer dereference". Exploitation would result in UDM functionality disruption until recovery by restart. This issue has been fixed in version 1.4.2.
Deeper analysisAI
CVE-2026-33064 is a nil pointer dereference vulnerability in Free5GC, an open-source Linux Foundation project implementing 5G mobile core networks. It affects the User Data Management (UDM) service in versions prior to 1.4.2, specifically within the /sdm-subscriptions endpoint. The issue arises in the DataChangeNotificationProcedure function in notifier.go, which fails to validate a nil pointer when processing requests, leading to a runtime panic and service crash with the error "runtime error: invalid memory address or nil pointer dereference." The vulnerability is rated 7.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-478 (Missing Default Case in Multiple Condition Expression) and CWE-476 (NULL Pointer Dereference).
A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted POST request to the /sdm-subscriptions endpoint. The request must include a malformed URL path with path traversal sequences (such as ../) combined with a large JSON payload. This triggers the nil pointer access, causing the UDM service to crash completely and disrupting its functionality until manual restart or recovery mechanisms intervene. The attack requires no user interaction or privileges, enabling denial-of-service against 5G core network operations.
The vulnerability has been addressed in Free5GC version 1.4.2. Official mitigation guidance from the project's GitHub security advisory (GHSA-7g27-v5wj-jr75) and related issue (#781) recommends upgrading to the patched version. The fix is implemented via a specific commit (65d7070f4bfd016864cbbaefbd506bbc85d2fa92) in the UDM repository and merged through pull request #78, which adds proper nil pointer validation in notifier.go. Security practitioners should verify deployments and apply the update promptly to restore service stability.
Details
- CWE(s)