CVE-2026-33191

CVE-2026-33191 is a null byte injection vulnerability affecting Free5GC, an open-source Linux Foundation project implementing 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable, specifically in the UDM (Unified Data Management) component's Nudm_SubscriberDataManagement API. The issue arises when a null byte (URL-encoded as %00) is injected into the supi path parameter, leading to a URL parsing failure in Go's net/url package. This triggers an "invalid control character in URL" error, resulting in a 500 Internal Server Error instead of proper input validation and a 400 Bad Request response. The vulnerability is associated with CWEs-158 (Input Improperly Controlled: Name or Reference) and CWE-248 (Uncaught Exception), and carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

A remote attacker with network access can exploit this vulnerability without authentication or user interaction by sending crafted requests to the affected API endpoint with a %00-encoded null byte in the supi parameter. When the UDM processes the parameter and constructs a URL for the UDR (Unified Data Repository), the embedded null character causes Go's URL parser to reject it, denying service to legitimate requests. This enables denial-of-service attacks, potentially disrupting 5G core network functions by repeatedly triggering 500 errors and overwhelming the service.

The Free5GC security advisory (GHSA-p9hg-pq3q-v9gv) and the fixing commit (88de9fa74a1b3f3522e53b4cfa2d184712ffa4ee) in the UDM repository confirm the issue was resolved in version 1.4.2 through improved input validation to prevent null byte propagation and ensure proper error handling with 400 responses. Security practitioners should upgrade to Free5GC 1.4.2 or later and review API inputs for control characters in path parameters.