CVE-2026-40343: CWE-754: Improper Check for Unusual or Exceptional Conditions in free5gc udr
CVE-2026-40343 is a medium severity vulnerability in free5GC's user data repository (UDR) component up to version 1. 4. 2. The flaw involves improper handling of errors in the POST handler for the /nudr-dr/v2/policy-data/subs-to-notify endpoint, where the service continues processing requests despite failures in request body retrieval or deserialization. This can lead to unintended creation of policy data notification subscriptions with invalid or incomplete input. No patch or official remediation is available at the time of publication.
AI Analysis
Technical Summary
The vulnerability in free5GC UDR (<= 1.4.2) is due to improper checking for unusual or exceptional conditions (CWE-754) in the POST handler at /nudr-dr/v2/policy-data/subs-to-notify. Specifically, the service fails to halt processing when errors occur during request body retrieval or deserialization, resulting in a fail-open condition. This behavior may cause the creation of policy data notification subscriptions with invalid, empty, or partially processed data depending on downstream processing. The CVSS 4.0 base score is 6.9, reflecting network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on integrity and system availability. No patch or vendor advisory with remediation is currently available.
Potential Impact
The vulnerability allows an attacker to cause the UDR service to create policy data notification subscriptions with malformed or incomplete data. This could potentially lead to inconsistent or unintended policy data states within the 5G core network environment. The impact is limited to integrity and system availability aspects with no direct confidentiality impact. There are no known exploits in the wild at this time.
Mitigation Recommendations
As of the publication date, no official fix or patch is available for this vulnerability. Users should monitor the free5GC project for updates or patches addressing this issue. Until a patch is released, consider implementing additional input validation or request filtering at network boundaries to reduce exposure. Avoid deploying vulnerable versions in production environments where possible.
CVE-2026-40343: CWE-754: Improper Check for Unusual or Exceptional Conditions in free5gc udr
Description
CVE-2026-40343 is a medium severity vulnerability in free5GC's user data repository (UDR) component up to version 1. 4. 2. The flaw involves improper handling of errors in the POST handler for the /nudr-dr/v2/policy-data/subs-to-notify endpoint, where the service continues processing requests despite failures in request body retrieval or deserialization. This can lead to unintended creation of policy data notification subscriptions with invalid or incomplete input. No patch or official remediation is available at the time of publication.
CVSS v4.0
Score 6.9medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in free5GC UDR (<= 1.4.2) is due to improper checking for unusual or exceptional conditions (CWE-754) in the POST handler at /nudr-dr/v2/policy-data/subs-to-notify. Specifically, the service fails to halt processing when errors occur during request body retrieval or deserialization, resulting in a fail-open condition. This behavior may cause the creation of policy data notification subscriptions with invalid, empty, or partially processed data depending on downstream processing. The CVSS 4.0 base score is 6.9, reflecting network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on integrity and system availability. No patch or vendor advisory with remediation is currently available.
Potential Impact
The vulnerability allows an attacker to cause the UDR service to create policy data notification subscriptions with malformed or incomplete data. This could potentially lead to inconsistent or unintended policy data states within the 5G core network environment. The impact is limited to integrity and system availability aspects with no direct confidentiality impact. There are no known exploits in the wild at this time.
Mitigation Recommendations
As of the publication date, no official fix or patch is available for this vulnerability. Users should monitor the free5GC project for updates or patches addressing this issue. Until a patch is released, consider implementing additional input validation or request filtering at network boundaries to reduce exposure. Avoid deploying vulnerable versions in production environments where possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T22:50:01.358Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e80fc419fe3cd2cd07fdbc
Added to database: 4/22/2026, 12:01:08 AM
Last enriched: 4/29/2026, 11:41:52 AM
Last updated: 6/5/2026, 2:24:12 PM
Views: 85
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.