CVE-2026-40343: Fail-Open Request Handling in free5GC UDR Policy Data Subscription

CVE-2026-40343 is a medium-severity vulnerability affecting the free5GC User Data Repository (UDR) up to version 1.4.2. The UDR is a core network function in the 5G Service Based Architecture responsible for storing and managing subscriber data, policy data, and exposed data. The flaw resides specifically in the Service Based Interface (SBI) endpoint for policy data notification subscriptions.

The vulnerability is classified as CWE-754: Improper Check for Unusual or Exceptional Conditions. When processing POST requests at the /nudr-dr/v2/policy-data/subs-to-notify endpoint, the UDR handler encounters fatal errors during request body extraction or JSON deserialization but fails to halt the execution flow.

This fail-open condition causes the application to pass an uninitialized or partially populated subscription object to the downstream processor. Consequently, the application writes an invalid subscription state to the underlying database, directly impacting data integrity within the 5G core network.

The root cause involves two distinct programming errors within the HandlePolicyDataSubsToNotifyPost function located in NFs/udr/internal/sbi/api_datarepository.go. The primary issue is the omission of execution-terminating return statements in the error handling blocks for HTTP request body retrieval and deserialization.

When the handler calls c.GetRawData(), an error correctly generates an HTTP 500 log entry and response preparation. However, the absence of a return statement causes the program counter to proceed immediately to the deserialization logic with a nil or incomplete payload.

The secondary issue involves an incorrect implementation of the openapi.Deserialize() function call. The handler passes the policyDataSubscription object by value instead of by pointer. Even if the deserialization routine attempts to handle the malformed input gracefully, the original object remains unpopulated.

Following these failures, the handler invokes the s.Processor().PolicyDataSubsToNotifyPostProcedure method, passing the empty policyDataSubscription struct. The downstream processor accepts this uninitialized object as legitimate input, executing a database write operation that establishes an invalid subscription.

A review of the vulnerable function flow demonstrates the exact point of failure within the error handling constructs. The application registers errors via logging and sets the HTTP response context but does not explicitly return from the handler function.

The vulnerable code sequence lacks the necessary flow control keywords. The snippet below highlights the missing termination and the incorrect pointer usage that compound the error state.

reqBody, err := c.GetRawData()
if err != nil {
    logger.DataRepoLog.Errorf("Get Request Body error: %+v", err)
    pd := openapi.ProblemDetailsSystemFailure(err.Error())
    c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)
    c.JSON(http.StatusInternalServerError, pd)
    // VULNERABILITY: Missing return statement here
}
 
// VULNERABILITY: Passed by value instead of pointer
err = openapi.Deserialize(policyDataSubscription, reqBody, "application/json")
if err != nil {
    logger.DataRepoLog.Errorf("Deserialize Request Body error: %+v", err)
    pd := util.ProblemDetailsMalformedReqSyntax(err.Error())
    c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)
    c.JSON(http.StatusBadRequest, pd)
    // VULNERABILITY: Missing return statement here
}
 
s.Processor().PolicyDataSubsToNotifyPostProcedure(c, policyDataSubscription)

The remediation requires minimal syntax changes but resolves the structural logic flaw. Adding return statements inside both if err != nil blocks ensures the handler exits immediately upon encountering malformed requests, and modifying the openapi.Deserialize call to accept a memory address (&policyDataSubscription) ensures correct data population.

Exploitation of CVE-2026-40343 requires unauthenticated network access to the UDR's Service Based Interface. An attacker must send a specially crafted HTTP POST request to the /nudr-dr/v2/policy-data/subs-to-notify API endpoint.

The attacker triggers the vulnerability by deliberately generating an error condition during the request processing phase. This can be achieved by terminating the TCP connection prematurely to interrupt c.GetRawData(), or by supplying a structurally invalid JSON body to force an openapi.Deserialize() failure.

Upon receiving the malformed request, the UDR logs the appropriate error and queues either an HTTP 400 or HTTP 500 response. However, due to the fail-open logic, the attacker achieves their primary objective: the UDR executes the downstream procedure and records a null or default subscription state.

According to threat intelligence reports from VulnCheck, there are currently no weaponized proof-of-concept exploits circulating in the public domain. The vulnerability is verified entirely through static analysis and manual code review of the execution path.

The primary impact of CVE-2026-40343 is a compromise of data integrity within the 5G core network's data storage tier. The creation of unintended Policy Data notification subscriptions pollutes the UDR database with orphan or invalid entries.

This data pollution can lead to secondary operational issues depending on how downstream network functions consume the invalid subscriptions. If another component queries the UDR and retrieves malformed subscription parameters, it may trigger unhandled exceptions in adjacent services.

The CVSS v4.0 base score of 6.9 reflects the network-based attack vector and the lack of authentication requirements. The scoring matrix assigns a Low impact to Integrity and zero impact to Confidentiality and Availability, as the bug does not directly expose sensitive data or crash the service.

As of April 2026, an official pre-compiled patch or distinct version bump addressing this specific CVE is not yet available in the public release channels. Organizations utilizing free5GC UDR versions 1.4.2 and earlier must apply code-level mitigations manually.

Developers and network operators should implement the recommended code modifications in NFs/udr/internal/sbi/api_datarepository.go. Inserting explicit return statements within the error handling blocks prevents the fail-open condition from reaching the database write procedure.

To further harden the network environment, operators should ensure that the UDR's Service Based Interface is strictly isolated from untrusted networks. Implementing strict network access controls limits the attack surface to authenticated or explicitly trusted adjacent network functions.