Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-40343

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-21 Apr, 2026 | 23:47
Updated At-22 Apr, 2026 | 13:12
Rejected At-
Credits

free5GC UDR: Fail-open handling in PolicyDataSubsToNotifyPost allows unintended subscription creation

free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.2, a fail-open request handling flaw in the UDR service causes the `/nudr-dr/v2/policy-data/subs-to-notify` POST handler to continue processing requests even after request body retrieval or deserialization errors. This may allow unintended creation of Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior. As of time of publication, a patched version is not available.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:21 Apr, 2026 | 23:47
Updated At:22 Apr, 2026 | 13:12
Rejected At:
▼CVE Numbering Authority (CNA)
free5GC UDR: Fail-open handling in PolicyDataSubsToNotifyPost allows unintended subscription creation

free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.2, a fail-open request handling flaw in the UDR service causes the `/nudr-dr/v2/policy-data/subs-to-notify` POST handler to continue processing requests even after request body retrieval or deserialization errors. This may allow unintended creation of Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior. As of time of publication, a patched version is not available.

Affected Products
Vendor
free5gc
Product
udr
Versions
Affected
  • <= 1.4.2
Problem Types
TypeCWE IDDescription
CWECWE-754CWE-754: Improper Check for Unusual or Exceptional Conditions
Type: CWE
CWE ID: CWE-754
Description: CWE-754: Improper Check for Unusual or Exceptional Conditions
Metrics
VersionBase scoreBase severityVector
4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/free5gc/free5gc/security/advisories/GHSA-jwch-w7wh-gqjm
x_refsource_CONFIRM
Hyperlink: https://github.com/free5gc/free5gc/security/advisories/GHSA-jwch-w7wh-gqjm
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:22 Apr, 2026 | 00:16
Updated At:23 Apr, 2026 | 19:44

free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.2, a fail-open request handling flaw in the UDR service causes the `/nudr-dr/v2/policy-data/subs-to-notify` POST handler to continue processing requests even after request body retrieval or deserialization errors. This may allow unintended creation of Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior. As of time of publication, a patched version is not available.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.15.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Type: Secondary
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 5.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CPE Matches
free5gc
free5gc
>>free5gc>>Versions up to 4.2.1(inclusive)
cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*
free5gc
free5gc
>>udr>>Versions up to 1.4.2(inclusive)
cpe:2.3:a:free5gc:udr:*:*:*:*:*:go:*:*
Weaknesses
CWE IDTypeSource
CWE-754Primarysecurity-advisories@github.com
CWE ID: CWE-754
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/free5gc/free5gc/security/advisories/GHSA-jwch-w7wh-gqjmsecurity-advisories@github.com
Vendor Advisory
Mitigation
Patch
Hyperlink: https://github.com/free5gc/free5gc/security/advisories/GHSA-jwch-w7wh-gqjm
Source: security-advisories@github.com
Resource:
Vendor Advisory
Mitigation
Patch

Change History

0
Information is not available yet

Similar CVEs

6Records found
CVE-2026-40249
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.02% / 6.61%
||
7 Day CHG~0.00%
Published-16 Apr, 2026 | 21:59
Updated-21 Apr, 2026 | 13:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
free5gc UDR fail-open request handling in PolicyDataSubsToNotifySubsIdPut may allow unintended subscription updates after input errors

free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the PUT handler for updating Policy Data notification subscriptions at /nudr-dr/v2/policy-data/subs-to-notify/{subsId} does not return after request body retrieval or deserialization errors. Although HTTP 500 or 400 error responses are sent, execution continues and the processor is invoked with a potentially uninitialized or partially initialized PolicyDataSubscription object. This fail-open behavior may allow unintended modification of existing Policy Data notification subscriptions with invalid or empty input, depending on downstream processor and storage behavior. A patched version was not available at the time of publication.

Action-Not Available
Vendor-free5gcfree5gc
Product-free5gcfree5gc
CWE ID-CWE-636
Not Failing Securely ('Failing Open')
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2025-69250
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.6||MEDIUM
EPSS-0.14% / 33.74%
||
7 Day CHG~0.00%
Published-23 Feb, 2026 | 23:45
Updated-25 Feb, 2026 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
free5GC has Improper Error Handling in UDM, Leading to Information Exposure

free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, the service reliably leaks detailed internal error messages (e.g., strconv.ParseInt parsing errors) to remote clients when processing invalid pduSessionId inputs. This exposes implementation details and can be used for service fingerprinting. All deployments of free5GC using the UDM Nudm_UECM DELETE service may be vulnerable. free5gc/udm pull request 76 contains a fix for the issue. No direct workaround is available at the application level. Applying the official patch is recommended.

Action-Not Available
Vendor-free5gcfree5gc
Product-udmudm
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2024-47507
Matching Score-4
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Juniper Networks, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.27% / 51.03%
||
7 Day CHG~0.00%
Published-11 Oct, 2024 | 15:38
Updated-26 Jan, 2026 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Junos OS and Junos OS Evolved: BGP update message containing aggregator attribute with an ASN value of zero (0) is accepted

An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause an integrity impact to the downstream devices. When a peer sends a BGP update message which contains the aggregator attribute with an ASN value of zero (0), rpd accepts and propagates this attribute, which can cause issues for downstream BGP peers receiving this. This issue affects: Junos OS: * All versions before 21.4R3-S6, * 22.2 versions before 22.2R3-S3, * 22.4 versions before 22.4R3;  Junos OS Evolved:  * All versions before 21.4R3-S7-EVO, * 22.2 versions before 22.2R3-S4-EVO, * 22.4 versions before 22.4R3-EVO.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-junos_os_evolvedjunosJunos OSJunos OS Evolvedjunosjunos_evolved
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2024-39561
Matching Score-4
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Juniper Networks, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.12% / 30.15%
||
7 Day CHG~0.00%
Published-10 Jul, 2024 | 22:46
Updated-10 Apr, 2025 | 20:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Junos OS: SRX4600, SRX5000 Series: TCP packets with SYN/FIN or SYN/RST are transferred after enabling no-syn-check with Express Path

An Improper Check for Unusual or Exceptional Conditions vulnerability in the flow daemon (flowd) of Juniper Networks Junos OS on SRX4600 and SRX5000 Series allows an attacker to send TCP packets with SYN/FIN or SYN/RST flags, bypassing the expected blocking of these packets. A TCP packet with SYN/FIN or SYN/RST should be dropped in flowd. However, when no-syn-check and Express Path are enabled, these TCP packets are unexpectedly transferred to the downstream network. This issue affects Junos OS on SRX4600 and SRX5000 Series: * All versions before 21.2R3-S8, * from 21.4 before 21.4R3-S7, * from 22.1 before 22.1R3-S6, * from 22.2 before 22.2R3-S4, * from 22.3 before 22.3R3-S3, * from 22.4 before 22.4R3-S2, * from 23.2 before 23.2R2, * from 23.4 before 23.4R1-S1, 23.4R2.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-srx4600srx5000srx5800junossrx5400srx5600Junos OSjunos
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2021-0225
Matching Score-4
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Juniper Networks, Inc.
CVSS Score-5.8||MEDIUM
EPSS-0.19% / 40.26%
||
7 Day CHG~0.00%
Published-22 Apr, 2021 | 19:36
Updated-16 Sep, 2024 | 22:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Junos OS Evolved: Stateless IP firewall filter does not work as expected

An Improper Check for Unusual or Exceptional Conditions in Juniper Networks Junos OS Evolved may cause the stateless firewall filter configuration which uses the action 'policer' in certain combinations with other options to not take effect. An administrator can use the following CLI command to see the failures with filter configuration: user@device> show log kfirewall-agent.log | match ERROR Jul 23 14:16:03 ERROR: filter not supported This issue affects Juniper Networks Junos OS Evolved: Versions 19.1R1-EVO and above prior to 20.3R1-S2-EVO, 20.3R2-EVO. This issue does not affect Juniper Networks Junos OS.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-junos_os_evolvedJunos OS Evolved
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2023-44198
Matching Score-4
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Juniper Networks, Inc.
CVSS Score-5.8||MEDIUM
EPSS-0.08% / 22.73%
||
7 Day CHG~0.00%
Published-12 Oct, 2023 | 23:05
Updated-18 Sep, 2024 | 14:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Junos OS: SRX Series and MX Series: SIP ALG doesn't drop specifically malformed retransmitted SIP packets

An Improper Check for Unusual or Exceptional Conditions vulnerability in the SIP ALG of Juniper Networks Junos OS on SRX Series and MX Series allows an unauthenticated network-based attacker to cause an integrity impact in connected networks. If the SIP ALG is configured and a device receives a specifically malformed SIP packet, the device prevents this packet from being forwarded, but any subsequently received retransmissions of the same packet are forwarded as if they were valid. This issue affects Juniper Networks Junos OS on SRX Series and MX Series: * 20.4 versions prior to 20.4R3-S5; * 21.1 versions prior to 21.1R3-S4; * 21.2 versions prior to 21.2R3-S4; * 21.3 versions prior to 21.3R3-S3; * 21.4 versions prior to 21.4R3-S2; * 22.1 versions prior to 22.1R2-S2, 22.1R3; * 22.2 versions prior to 22.2R2-S1, 22.2R3; * 22.3 versions prior to 22.3R1-S2, 22.3R2. This issue doesn't not affected releases prior to 20.4R1.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-srx345mx2008mx960mx240srx5800srx380srx4200srx4700srx340mx10004mx10008srx4100mx2020mx10003mx2010srx5400mx204srx1600srx550srx300srx2300srx4300mx480srx320srx5600junossrx4600mx304srx1500Junos OSjunos_os
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
Details not found