Cyber Posture

CVE-2026-42459

HighPublic PoC
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: affectedAppOther: not affectedOth

Published: 27 May 2026

Published
27 May 2026
Modified
28 May 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0014 33.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42459 is a high-severity Improper Input Validation (CWE-20) vulnerability in Free5Gc Free5Gc. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AU-13 Monitoring for Information Disclosure
addresses: CWE-209

Detects error messages that leak sensitive information as evidence of disclosure.

IA-6 Authentication Feedback
addresses: CWE-209

The control directly mitigates generation of error messages containing sensitive authentication details by requiring obscured feedback instead of verbose responses.

PM-14 Testing, Training, and Monitoring
addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

SA-11 Developer Testing and Evaluation
addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

SC-30 Concealment and Misdirection
addresses: CWE-209

Misdirection allows generation of misleading error messages that withhold or falsify sensitive details.

SI-10 Information Input Validation
addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

SI-11 Error Handling
addresses: CWE-209

Explicitly requires error messages to avoid including sensitive or exploitable details while still supporting corrective action.

SI-15 Information Output Filtering
addresses: CWE-209

Validation ensures error messages contain only expected, non-sensitive content and blocks leakage via verbose errors.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Unauthenticated remote exploitation of input validation flaw in public-facing 5G network service (UDM) leading to error-based info disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm (Subscriber Data Management) service. An unauthenticated attacker can inject…

more

control characters into the SUPI parameter, causing UDM to forward a malformed request to UDR and return a 500 Internal Server Error response that exposes internal infrastructure details. This vulnerability is fixed in 4.2.2.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-20CWE-209
OWASP Top 10 Web 2025
A05:2025A10:2025

Affected Products

free5gc
free5gc
≤ 4.2.2

EU & UK References

References