Vulnerability Description
free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the PUT handler for updating Policy Data notification subscriptions at /nudr-dr/v2/policy-data/subs-to-notify/{subsId} does not return after request body retrieval or deserialization errors. Although HTTP 500 or 400 error responses are sent, execution continues and the processor is invoked with a potentially uninitialized or partially initialized PolicyDataSubscription object. This fail-open behavior may allow unintended modification of existing Policy Data notification subscriptions with invalid or empty input, depending on downstream processor and storage behavior. A patched version was not available at the time of publication.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Free5Gc | Free5Gc | <= 4.2.1 |
Related Weaknesses (CWE)
References
- https://github.com/free5gc/free5gc/security/advisories/GHSA-gx38-8h33-pmxrExploitThird Party AdvisoryMitigation
FAQ
What is CVE-2026-40249?
CVE-2026-40249 is a vulnerability with a CVSS score of 5.3 (MEDIUM). free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the PUT handler for updating Policy Data notification subscriptions at /nudr-dr/v2/poli...
How severe is CVE-2026-40249?
CVE-2026-40249 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40249?
Check the references section above for vendor advisories and patch information. Affected products include: Free5Gc Free5Gc.