CVE-2026-33191 in Free5GC
Summary
by MITRE • 03/20/2026
Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to null byte injection in URL path parameters. A remote attacker can inject null bytes (URL-encoded as %00) into the supi path parameter of the UDM's Nudm_SubscriberDataManagement API. This causes URL parsing failure in Go's net/url package with the error "invalid control character in URL", resulting in a 500 Internal Server Error. This null byte injection vulnerability can be exploited for denial of service attacks. When the supi parameter contains null characters, the UDM attempts to construct a URL for UDR that includes these control characters. Go's URL parser rejects them, causing the request to fail with 500 instead of properly validating input and returning 400 Bad Request. This issue has been fixed in version 1.4.2.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/26/2026
The CVE-2026-33191 vulnerability affects Free5GC versions prior to 1.4.2, exposing a critical null byte injection flaw within the 5G mobile core network infrastructure. This vulnerability specifically targets the UDM's Nudm_SubscriberDataManagement API where the supi path parameter becomes susceptible to malicious null byte injection through URL-encoded %00 sequences. The vulnerability stems from inadequate input validation mechanisms within the URL parsing logic of the Go programming environment, creating a pathway for remote attackers to manipulate API requests and disrupt normal service operations.
The technical exploitation of this vulnerability occurs when a remote attacker crafts malicious requests containing null bytes in the supi parameter of the UDM API. The Go standard library's net/url package, which handles URL parsing operations, encounters these null characters and raises an "invalid control character in URL" error. This parsing failure manifests as a 500 Internal Server Error response instead of the expected 400 Bad Request that would indicate malformed input. The fundamental flaw lies in the absence of proper input sanitization before URL construction, allowing control characters to propagate through the system and trigger unexpected parsing behavior that ultimately leads to service disruption.
This vulnerability presents significant operational impact within 5G network environments where Free5GC serves as the core network implementation. The denial of service attack vector enables adversaries to systematically disrupt subscriber data management services, potentially affecting network availability and user connectivity. The vulnerability's exploitation demonstrates a lack of robust input validation practices that should be implemented at multiple layers of the application stack, as defined by the CWE-170 weakness category for improper null termination and control character handling. Network operators relying on Free5GC deployments face potential service degradation and increased maintenance overhead due to this vulnerability, particularly in environments where continuous availability is critical for 5G services.
The mitigation strategy for CVE-2026-33191 requires immediate deployment of Free5GC version 1.4.2, which includes proper input validation and sanitization mechanisms. Organizations should implement comprehensive network monitoring to detect anomalous API request patterns that may indicate exploitation attempts. The fix addresses the core issue by ensuring that null bytes are properly rejected during input processing rather than allowing them to propagate through URL construction. Security teams should also consider implementing additional defensive measures such as API rate limiting and request validation rules that prevent malformed URLs from reaching the core parsing components. This vulnerability aligns with ATT&CK technique T1499.004 for network denial of service, emphasizing the importance of proper input validation and error handling in maintaining service availability. Organizations should conduct thorough testing to ensure that the patched version maintains expected functionality while eliminating the null byte injection attack vector.