The vulnerability CVE-2026-33063 affects the Authentication Server Function (AUSF) component of free5GC, an open-source 5G core network implementation. Specifically, the flaw exists in the UE authentication service endpoint `/nausf-auth/v1/ue-authentications`. The issue arises from improper handling of a nil interface in the `GetSupiFromSuciSupiMap` function, which attempts to convert an interface{} type to a pointer to `context.SuciSupiMap` without verifying if the underlying value is nil. When the value is nil, this causes a runtime panic with the message "interface conversion: interface {} is nil, not *context.SuciSupiMap," crashing the AUSF service. Since AUSF is critical for authenticating user equipment in the 5G core network, its unavailability leads to denial of service for authentication requests. The vulnerability requires no authentication or user interaction and can be triggered remotely by sending a specially crafted UE authentication request. The issue was fixed in free5GC AUSF version 1.4.2. Due to the nature of the vulnerability, no direct application-level workaround exists; however, network-level controls such as restricting API access to trusted sources can reduce risk. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) reflects a network attack vector with low complexity, no privileges or user interaction required, no impact on confidentiality or integrity, but high impact on availability. This vulnerability highlights the importance of robust input validation and error handling in critical telecom infrastructure software.

The primary impact of this vulnerability is a denial of service condition affecting the AUSF component of free5GC, which is responsible for authenticating user equipment in 5G networks. A successful exploit causes the AUSF service to crash, disrupting authentication processes and potentially preventing legitimate users from accessing network services. This can lead to service outages, degraded user experience, and operational disruptions for mobile network operators deploying free5GC. Given the critical role of AUSF in 5G core network security and operation, prolonged or repeated exploitation could impact network availability and reliability. While confidentiality and integrity are not directly affected, the availability impact is significant. Organizations relying on free5GC for 5G core network functions may face increased risk of service interruptions, regulatory non-compliance, and reputational damage if this vulnerability is exploited. The ease of remote exploitation without authentication increases the threat level, especially in environments where the AUSF API is exposed or insufficiently protected.

1. Upgrade free5GC AUSF to version 1.4.2 or later, where the null pointer dereference issue is patched. 2. Implement strict network segmentation and firewall rules to restrict access to the AUSF API endpoint `/nausf-auth/v1/ue-authentications` to trusted and authenticated sources only, minimizing exposure to untrusted networks. 3. Deploy runtime monitoring and alerting for AUSF service crashes or panics to enable rapid detection and response to exploitation attempts. 4. Conduct regular code audits and fuzz testing on critical 5G core components to identify and remediate similar input validation and error handling issues proactively. 5. Use application-layer gateways or API gateways with input validation to filter malformed or suspicious authentication requests before they reach AUSF. 6. Maintain up-to-date backups and failover mechanisms for AUSF services to reduce downtime in case of denial of service. 7. Collaborate with upstream free5GC developers and community to stay informed about patches and security advisories.