CVE-2026-33191

High

Published: 20 March 2026

Published

20 March 2026

Modified

23 March 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Score 0.0020 41.2th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33191 is a high-severity Improper Neutralization of Null Byte or NUL Character (CWE-158) vulnerability in Free5Gc Udm. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Mandates validation of path parameters like supi to reject null bytes (%00), preventing URL parsing failures and DoS crashes.

SI-11 Error Handling good match

prevent

Requires proper error handling to return 400 Bad Request instead of exploitable 500 Internal Server Errors from invalid control characters.

SC-5 Denial-of-service Protection partial match

prevent

Provides denial-of-service protection mechanisms to limit the impact of repeated null byte injections overwhelming the UDM API.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote unauthenticated exploitation of a public-facing API (T1190) to trigger application crashes via null byte injection, enabling endpoint DoS through application exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to null byte injection in URL path parameters. A remote attacker can inject null bytes (URL-encoded as %00) into the…

supi path parameter of the UDM's Nudm_SubscriberDataManagement API. This causes URL parsing failure in Go's net/url package with the error "invalid control character in URL", resulting in a 500 Internal Server Error. This null byte injection vulnerability can be exploited for denial of service attacks. When the supi parameter contains null characters, the UDM attempts to construct a URL for UDR that includes these control characters. Go's URL parser rejects them, causing the request to fail with 500 instead of properly validating input and returning 400 Bad Request. This issue has been fixed in version 1.4.2.

Deeper analysisAI

CVE-2026-33191 is a null byte injection vulnerability affecting Free5GC, an open-source Linux Foundation project implementing 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable, specifically in the UDM (Unified Data Management) component's Nudm_SubscriberDataManagement API. The issue arises when a null byte (URL-encoded as %00) is injected into the supi path parameter, leading to a URL parsing failure in Go's net/url package. This triggers an "invalid control character in URL" error, resulting in a 500 Internal Server Error instead of proper input validation and a 400 Bad Request response. The vulnerability is associated with CWEs-158 (Input Improperly Controlled: Name or Reference) and CWE-248 (Uncaught Exception), and carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

A remote attacker with network access can exploit this vulnerability without authentication or user interaction by sending crafted requests to the affected API endpoint with a %00-encoded null byte in the supi parameter. When the UDM processes the parameter and constructs a URL for the UDR (Unified Data Repository), the embedded null character causes Go's URL parser to reject it, denying service to legitimate requests. This enables denial-of-service attacks, potentially disrupting 5G core network functions by repeatedly triggering 500 errors and overwhelming the service.

The Free5GC security advisory (GHSA-p9hg-pq3q-v9gv) and the fixing commit (88de9fa74a1b3f3522e53b4cfa2d184712ffa4ee) in the UDM repository confirm the issue was resolved in version 1.4.2 through improved input validation to prevent null byte propagation and ensure proper error handling with 400 responses. Security practitioners should upgrade to Free5GC 1.4.2 or later and review API inputs for control characters in path parameters.

Details

CWE(s): CWE-158 CWE-248

Affected Products

free5gc

udm

≤ 1.4.2

CVEs Like This One

CVE-2026-33064Same product: Free5Gc Udm

CVE-2025-69252Same product: Free5Gc Udm

CVE-2026-27642Same product: Free5Gc Udm

CVE-2025-69250Same product: Free5Gc Udm

CVE-2026-1975Same vendor: Free5Gc

CVE-2026-1682Same vendor: Free5Gc

CVE-2025-69232Same vendor: Free5Gc

CVE-2026-25501Same vendor: Free5Gc

CVE-2025-69248Same vendor: Free5Gc

CVE-2026-1739Same vendor: Free5Gc

References

https://github.com/free5gc/free5gc/security/advisories/GHSA-p9hg-pq3q-v9gv
Patch, Vendor Advisory · security-advisories@github.com
https://github.com/free5gc/udm/commit/88de9fa74a1b3f3522e53b4cfa2d184712ffa4ee
Patch · security-advisories@github.com