CVE-2026-40343: CVE-2026-40343: Fail-Open Request Handling in free5GC UDR Policy Data Subscription

Source: Dev.to

Vulnerability Overview

• Vulnerability ID: CVE-2026-40343
• CVSS Score: 6.9 (Integrity)
• Published: 2026-04-21
• CWE: CWE‑754 (Improper Check for Unusual or Exceptional Conditions)
• Attack Vector: Network
• Exploit Status: None
• KEV Status: Not Listed

A fail‑open request handling vulnerability exists in the free5GC UDR service (up to version 1.4.2). When processing a Policy Data subscription POST request, the application does not terminate execution after encountering errors while retrieving the HTTP body or deserializing JSON. Consequently, it proceeds with uninitialized data, allowing an attacker to create invalid or unintended Policy Data notification subscriptions and manipulate internal state.

Technical Details

• Component: free5GC UDR (User Data Repository)
• Affected Versions: ≤ 1.4.2
• Root Cause: Missing error‑return paths in HandlePolicyDataSubsToNotifyPost (file api_datarepository.go).
• Impact: Integrity – an attacker can inject malformed subscription objects that the UDR processes as valid, potentially leading to unauthorized policy changes or service disruption.

Failure Flow

1. The handler calls c.GetRawData() to read the request body.
2. If an error occurs, the code logs the error but does not return, allowing execution to continue.
3. The handler then calls openapi.Deserialize() to parse the JSON payload.
4. Errors from Deserialize() are also logged without an early return.
5. The function proceeds with a partially‑filled policyDataSubscription struct, leading to undefined behavior.

Remediation Steps

1. Locate the vulnerable function

   // File: api_datarepository.go
   func HandlePolicyDataSubsToNotifyPost(c *gin.Context) {
       // ...
   }

2. Add explicit returns inside the error handling blocks:

   rawData, err := c.GetRawData()
   if err != nil {
       log.Errorf("Failed to read request body: %v", err)
       c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
       return   // <-- added
   }
   
   var policyDataSubscription openapi.PolicyDataSubscription
   if err := openapi.Deserialize(rawData, &policyDataSubscription); err != nil {
       log.Errorf("JSON deserialization error: %v", err)
       c.JSON(http.StatusBadRequest, gin.H{"error": "invalid JSON payload"})
       return   // <-- added
   }

3. Pass the struct by pointer to Deserialize (as shown above) to ensure proper unmarshalling.
4. Recompile and redeploy the UDR service after applying the patch.

Additional Mitigations

• Network segmentation of SBI (Service Based Interface) endpoints to limit exposure.
• Deploy a Web Application Firewall (WAF) with rules that validate API payloads against the OpenAPI schema.

References

• Official CVE Advisory – CVE-2026-40343 (cve.org)
• National Vulnerability Database (NVD) entry
• free5GC UDR Repository
• OSV Record for CVE-2026-40343

For a full analysis, including interactive diagrams and exploit details, see the complete report on the project’s website.