{"id":"GHSA-wr8j-6chw-gm6p","summary":"free5GC's PCF npcf-smpolicycontrol POST /sm-policies panics on downstream UDR/OpenAPI 404 via nil pointer dereference","details":"### Summary\nfree5GC's PCF `POST /npcf-smpolicycontrol/v1/sm-policies` handler (`HandleCreateSmPolicyRequest`) panics with a nil-pointer dereference when a downstream OpenAPI consumer call (UDR lookup) returns `404 Not Found` and the consumer wrapper returns `err != nil` together with a nil response struct. The handler logs the OpenAPI error and continues executing instead of returning, then dereferences the nil response struct on a subsequent line and panics. Gin recovery converts the panic into `HTTP 500`, so a single attacker-shaped POST returns 500 instead of a clean 4xx whenever the downstream lookup fails. The PCF process keeps running.\n\nThe trigger is a single POST containing input that causes the downstream UDR lookup to fail (e.g. an unknown DNN). In v4.2.1 this endpoint is also reachable WITHOUT an `Authorization` header because the PCF `Npcf_SMPolicyControl` route group is mounted without inbound auth middleware (see free5gc/free5gc#844). So in the validation lab the trigger is fully unauthenticated.\n\n### Details\nValidated against the PCF container in the official Docker compose lab.\n- free5GC version: `v4.1.0` (originally reported on v4.1.0; same defect present in v4.2.1)\n- PCF endpoint: `http://10.100.200.9:8000`\n\nVulnerable handler path (paraphrased from the captured stack trace):\n```\n[INFO][PCF][SMpolicy] Handle CreateSmPolicy\n[ERRO][PCF][Consumer] openapi error: 404, Not Found\n[ERRO][PCF][GIN] panic: runtime error: invalid memory address or nil pointer dereference\n  github.com/free5gc/pcf/internal/sbi/processor.(*Processor).HandleCreateSmPolicyRequest\n      /go/src/free5gc/NFs/pcf/internal/sbi/processor/smpolicy.go:82 +0x562\n  github.com/free5gc/pcf/internal/sbi.(*Server).HTTPCreateSMPolicy\n      /go/src/free5gc/NFs/pcf/internal/sbi/api_smpolicy.go:86 +0x405\n```\n\nThe handler's UDR-failure branch logs the OpenAPI error but does not return; the next line dereferences the nil response struct.\n\nCode evidence (paths in `free5gc/pcf`):\n- Panic site:\n  - `NFs/pcf/internal/sbi/processor/smpolicy.go:82`\n- Route dispatch:\n  - `NFs/pcf/internal/sbi/api_smpolicy.go:86`\n\n### PoC\nReproduced end-to-end against the running PCF at `http://10.100.200.9:8000`.\n\nSend a single POST whose `dnn` is unknown to UDR -- this drives the downstream OpenAPI call to return `404 Not Found`, which then triggers the nil-deref panic:\n```\ncurl -sS -X POST 'http://10.100.200.9:8000/npcf-smpolicycontrol/v1/sm-policies' \\\n  -H 'Content-Type: application/json' \\\n  -d '{\n    \"supi\":\"imsi-208930000000003\",\n    \"pduSessionId\":1,\n    \"dnn\":\"internet-bad\",\n    \"sliceInfo\":{\"sst\":1,\"sd\":\"010203\"},\n    \"servingNetwork\":{\"mcc\":\"208\",\"mnc\":\"93\"},\n    \"accessType\":\"3GPP_ACCESS\",\n    \"notificationUri\":\"http://smf.free5gc.org:8000/npcf-smpolicycontrol/v1/notify\"\n  }'\n```\n\nObserved response: `HTTP 500 Internal Server Error` with empty body.\n\nPCF container logs show:\n```\n[INFO][PCF][SMpolicy] Handle CreateSmPolicy\n[ERRO][PCF][Consumer] openapi error: 404, Not Found\n[ERRO][PCF][GIN] panic: runtime error: invalid memory address or nil pointer dereference\n  ...HandleCreateSmPolicyRequest at smpolicy.go:82...\n```\n\nThe Gin recovery middleware catches the panic (the captured stack trace runs inside `ginRecover.func2.1`), so the PCF process keeps serving other requests; the realized impact is per-request `HTTP 500` on this endpoint whenever the downstream lookup fails.\n\n### Impact\nNULL pointer dereference (CWE-476) caused by improper handling of an exceptional branch (CWE-754): the UDR-failure branch logs the OpenAPI error but does not return, then dereferences the nil response struct. The intended behavior is to return a controlled `4xx`/`5xx` `ProblemDetails` and stop processing.\n\nGin recovery catches the panic, so the PCF process is NOT killed and other endpoints continue serving. The realized impact is per-request: any unauthenticated POST that drives the downstream UDR lookup to a `404` returns `HTTP 500` (with empty body and a stack trace in PCF logs) instead of a controlled error response.\n\nNo Confidentiality impact (the response is `500` with empty body). No persistent Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation. The endpoint remains reachable to unauthenticated attackers via the route-group auth gap separately tracked in free5gc/free5gc#844.\n\nAffected: free5gc v4.2.1 (originally reported against v4.1.0; same defect present).\n\nUpstream issue: https://github.com/free5gc/free5gc/issues/803\nUpstream fix: https://github.com/free5gc/pcf/pull/62","aliases":["CVE-2026-44316"],"modified":"2026-05-08T22:46:14.307937Z","published":"2026-05-08T22:39:43Z","database_specific":{"github_reviewed_at":"2026-05-08T22:39:43Z","github_reviewed":true,"cwe_ids":["CWE-476","CWE-754"],"nvd_published_at":null,"severity":"HIGH"},"references":[{"type":"WEB","url":"https://github.com/free5gc/free5gc/security/advisories/GHSA-wr8j-6chw-gm6p"},{"type":"WEB","url":"https://github.com/free5gc/free5gc/issues/803"},{"type":"WEB","url":"https://github.com/free5gc/pcf/pull/62"},{"type":"WEB","url":"https://github.com/free5gc/pcf/commit/df535f5524314620715e842baf9723efbeb481a7"},{"type":"PACKAGE","url":"https://github.com/free5gc/free5gc"}],"affected":[{"package":{"name":"github.com/free5gc/pcf","ecosystem":"Go","purl":"pkg:golang/github.com/free5gc/pcf"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.4.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-wr8j-6chw-gm6p/GHSA-wr8j-6chw-gm6p.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}