CVE-2026-40343: Fail-Open Request Handling in free5GC UDR Policy Data Subscription
Vulnerability ID: CVE-2026-40343
CVSS Score: 6.9
Published: 2026-04-21
A fail-open request handling vulnerability in the free5GC UDR service up to version 1.4.2 allows attackers to create invalid or unintended Policy Data notification subscriptions. The application fails to terminate execution upon encountering HTTP body retrieval or JSON deserialization errors, proceeding to process uninitialized data.
TL;DR
free5GC UDR <= 1.4.2 processes uninitialized subscription data due to missing error return paths, enabling state manipulation via malformed POST requests.
Technical Details
- CWE ID: CWE-754
- Attack Vector: Network
- CVSS: 6.9
- Impact: Integrity
- Exploit Status: None
- KEV Status: Not Listed
Affected Systems
- free5GC UDR (User Data Repository)
- udr: <= 1.4.2
Mitigation Strategies
- Manual code patching to enforce fail-closed behavior
- Network segmentation of SBI interfaces
- API payload validation via WAF
Remediation Steps:
- Locate HandlePolicyDataSubsToNotifyPost in api_datarepository.go
- Add explicit 'return' statements inside the error handling blocks for c.GetRawData() and openapi.Deserialize()
- Modify the openapi.Deserialize() call to pass policyDataSubscription by pointer (&)
- Recompile and redeploy the UDR service
References
Read the full report for CVE-2026-40343 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)