Login Sign Up

CVE-2026-27643

5.3 MEDIUM

📋 TL;DR

The free5GC UDR component leaks detailed internal parsing error messages to remote clients through the NEF service. This allows attackers to perform service fingerprinting and gather intelligence about the 5G core network implementation. All deployments using free5GC UDR versions up to 1.4.1 with the Nnef_PfdManagement service enabled are affected.

💻 Affected Systems

Products:
  • free5GC UDR
Versions: Up to and including version 1.4.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments using the Nnef_PfdManagement service within free5GC UDR component.

📦 What is this software?

Udr by Free5gc

View all CVEs affecting Udr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map the exact software version and configuration details, enabling targeted attacks against known vulnerabilities in specific free5GC deployments.

🟠

Likely Case

Information disclosure that reveals internal error handling mechanisms and software stack details, facilitating reconnaissance for future attacks.

🟢

If Mitigated

Limited information leakage with generic error messages that don't reveal implementation details.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending malformed requests to trigger parsing errors, which then leak detailed error messages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 1.4.1

Vendor Advisory: https://github.com/free5gc/free5gc/security/advisories/GHSA-6468-f87j-6g82

Restart Required: Yes

Instructions:

1. Update free5GC UDR to version after 1.4.1. 2. Apply the patch from pull request #56. 3. Restart the UDR service. 4. Verify error messages no longer contain internal parsing details.

🔧 Temporary Workarounds

No application-level workaround

all

The advisory states there is no direct workaround at the application level. The only solution is to apply the patch.

🧯 If You Can't Patch

  • Implement network-level filtering to restrict access to Nnef_PfdManagement service endpoints
  • Deploy WAF or reverse proxy to sanitize error responses before they reach clients

🔍 How to Verify

Check if Vulnerable:

Send malformed JSON requests to Nnef_PfdManagement endpoints and check if detailed parsing error messages are returned.

Check Version:

Check free5GC UDR version in configuration files or via API endpoints if available.

Verify Fix Applied:

After patching, send malformed requests and verify only generic error messages are returned without internal parsing details.

📡 Detection & Monitoring

Log Indicators:

  • Unusual parsing error patterns in UDR logs
  • Multiple malformed requests to Nnef_PfdManagement endpoints

Network Indicators:

  • Repeated malformed JSON payloads sent to UDR service ports
  • Unusual error response patterns in network traffic

SIEM Query:

source="free5gc-udr" AND (message="parsing error" OR message="invalid character")

📊 Metadata

CVE ID: CVE-2026-27643
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-209
Published: February 24, 2026
Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27643, you might also want to check these:

CVE-2025-62168 10.0

Squid caching proxy versions before 7.2 fail to properly redact HTTP authentication credentials in e...

Same vulnerability type (CWE-209)
CVE-2025-46658 9.8

CVE-2025-46658 is an information disclosure vulnerability in 4C Strategies ExonautWeb where verbose ...

Same vulnerability type (CWE-209)
CVE-2024-6980 9.8

A verbose error handling issue in the GravityZone Update Server proxy service allows attackers to pe...

Same vulnerability type (CWE-209)