CVE-2026-41135
Published: 22 April 2026
Summary
CVE-2026-41135 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Free5Gc Free5Gc. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the specific memory leak flaw in the PCF software, directly eliminating the root cause of uncontrolled memory growth.
Implements denial-of-service protections such as rate limiting on the PCF SBI OAM endpoint to block repeated HTTP requests that trigger memory exhaustion.
Protects critical system resources like memory from unauthorized depletion caused by the progressive growth of the Gin router's handler chain.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Memory leak in network-accessible PCF SBI allows repeated HTTP requests to exploit the vulnerability for application resource exhaustion and DoS, directly mapping to T1499.004.
NVD Description
free5GC UDR is the Policy Control Function (PCF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. A memory leak vulnerability in versions prior to 1.4.3 allows any unauthenticated attacker with network access to the PCF…
more
SBI interface to cause uncontrolled memory growth by sending repeated HTTP requests to the OAM endpoint. The root cause is a `router.Use()` call inside an HTTP handler that registers a new CORS middleware on every incoming request, permanently growing the Gin router's handler chain. This leads to progressive memory exhaustion and eventual Denial of Service of the PCF, preventing all UEs from obtaining AM and SM policies and blocking 5G session establishment. Version 1.4.3 contains a patch.
Deeper analysisAI
CVE-2026-41135 is a memory leak vulnerability in the Policy Control Function (PCF) component of free5GC, an open-source implementation of a 5G mobile core network. The issue affects versions prior to 1.4.3 and stems from a `router.Use()` call within an HTTP handler that registers a new CORS middleware instance on every incoming request to the PCF's Service-Based Interface (SBI). This permanently extends the Gin router's handler chain, resulting in progressive memory exhaustion. The vulnerability is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-400 (Uncontrolled Resource Consumption).
Any unauthenticated attacker with network access to the PCF SBI interface can exploit this vulnerability by sending repeated HTTP requests to the Operations, Administration, and Maintenance (OAM) endpoint. This triggers uncontrolled memory growth, eventually causing Denial of Service (DoS) on the PCF. As a result, all User Equipments (UEs) are prevented from obtaining Access and Mobility Management (AM) or Session Management (SM) policies, blocking 5G session establishment.
The free5GC security advisory (GHSA-98cp-84m9-q3qp) details the issue and confirms that version 1.4.3 includes a patch addressing the root cause. The specific fix is implemented in commit 599803b1b2eb4611e26d5216481ee142bce71a16 in the free5gc/pcf repository, which resolves the improper middleware registration. Security practitioners should upgrade to free5GC 1.4.3 or later to mitigate the vulnerability.
Details
- CWE(s)