Cyber Resilience

CVE-2026-44328

HighPublic PoC

Published: 27 May 2026

Published
27 May 2026
Modified
28 May 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0032 24.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-44328 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Free5Gc Free5Gc. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. On top of that, the DELETE /upi/v1/upNodesLinks/{upNodeRef} handler unconditionally dereferences upNode.UPF after the type-guarded async…

more

release, even though AN-typed nodes are constructed without a UPF object. As a result, a single unauthenticated DELETE /upi/v1/upNodesLinks/gNB1 request crashes the handler with a nil-pointer panic AND mutates the in-memory user-plane topology before panicking (the UpNodeDelete(upNodeRef) line runs first). This is an unauthenticated, state-mutating panic-DoS sink that an off-path network attacker can trigger by name against any AN entry. This vulnerability is fixed in 4.2.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authentication on public management endpoint (CWE-306/862) directly enables remote exploitation for DoS impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44329Same product: Free5Gc Free5Gc
CVE-2026-44327Same product: Free5Gc Free5Gc
CVE-2026-44320Same product: Free5Gc Free5Gc
CVE-2026-44326Same product: Free5Gc Free5Gc
CVE-2026-44315Same product: Free5Gc Free5Gc
CVE-2026-42083Same product: Free5Gc Free5Gc
CVE-2026-44316Same product: Free5Gc Free5Gc
CVE-2026-40246Same product: Free5Gc Free5Gc
CVE-2026-44321Same product: Free5Gc Free5Gc
CVE-2026-42459Same product: Free5Gc Free5Gc

Affected Assets

free5gc
free5gc
≤ 4.2.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-306 CWE-862

Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.

addresses: CWE-306 CWE-862

Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.

addresses: CWE-862 CWE-306

Always invoking the reference monitor prevents missing authorization checks for protected resources.

addresses: CWE-306 CWE-862

Auditing sessions makes it possible to detect access to critical functions without required authentication.

addresses: CWE-306 CWE-862

The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication.

addresses: CWE-306 CWE-862

Certification assesses that critical functions have required authentication controls in place.

addresses: CWE-862 CWE-306

Requiring authorization servers ensures authorization is performed for protected functions.

addresses: CWE-306 CWE-862

Tailoring determines which functions require authentication and selects the appropriate baseline or compensating authentication controls.

References