Is github.com/free5gc/udm affected by CVE-2026-33065?

Go github.com/free5gc/udm is affected in <1.4.2.

Is CVE-2026-33065 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

medium

CVE-2026-33065

Q: Is CVE-2026-33065 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

Go · github.com/free5gc/udm

Summary

free5GC UDM incorrectly returns 500 for empty supi path parameter in DELETE sdm-subscriptions request in github.com/free5gc/udm

Severity: medium
EPSS: 0.3% (p20)
Also known as: GHSA-958m-gxmc-mccm, GO-2026-4758
Published: 2026-03-23

References

https://github.com/free5gc/free5gc/security/advisories/GHSA-958m-gxmc-mccm
https://nvd.nist.gov/vuln/detail/CVE-2026-33065
https://github.com/free5gc/udm/commit/88de9fa74a1b3f3522e53b4cfa2d184712ffa4ee

Related advisories

CVE-2026-42459 — high · Go/github.com/free5gc/udm
CVE-2026-33192 — medium · Go/github.com/free5gc/udm
CVE-2026-33191 — medium · Go/github.com/free5gc/udm
CVE-2026-33064 — medium · Go/github.com/free5gc/udm
CVE-2025-60633 — medium · Go/github.com/free5gc/udm

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.