Advisory GHSA-27ph-8q4f-h7m7 references a vulnerability in the following Go modules:
Description:
Summary
free5GC's BSF PUT /nbsf-management/v1/subscriptions/{subId} handler has an unsynchronized write on the global Subscriptions map. The handler first reads the map under RLock() via BSFContext.GetSubscription(subId), but if the subscription does not exist, ReplaceIndividualSubcription() writes back to the same map directly without taking the mutex (bsfContext.BsfSelf.Subscriptions[subId] = subscription). Under concurrent authenticated PUT load, one goroutine can read while another writes the map, which causes the Go runtime to abort the process with `fatal error: concurren...
References:
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/free5gc/bsf
versions:
- fixed: 1.0.2
vulnerable_at: 1.0.1
summary: |-
free5GC's BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes
the BSF process via concurrent map read/write on Subscriptions in github.com/free5gc/bsf
cves:
- CVE-2026-44318
ghsas:
- GHSA-27ph-8q4f-h7m7
references:
- advisory: https://github.com/advisories/GHSA-27ph-8q4f-h7m7
- advisory: https://github.com/free5gc/free5gc/security/advisories/GHSA-27ph-8q4f-h7m7
- fix: https://github.com/free5gc/bsf/commit/277908565fd628d974a13ef562b81a8b7b519ffa
- fix: https://github.com/free5gc/bsf/pull/7
- report: https://github.com/free5gc/free5gc/issues/926
source:
id: GHSA-27ph-8q4f-h7m7
created: 2026-05-08T23:01:08.441298837Z
review_status: UNREVIEWED
Advisory GHSA-27ph-8q4f-h7m7 references a vulnerability in the following Go modules:
Description:
Summary
free5GC's BSF
PUT /nbsf-management/v1/subscriptions/{subId}handler has an unsynchronized write on the globalSubscriptionsmap. The handler first reads the map underRLock()viaBSFContext.GetSubscription(subId), but if the subscription does not exist,ReplaceIndividualSubcription()writes back to the same map directly without taking the mutex (bsfContext.BsfSelf.Subscriptions[subId] = subscription). Under concurrent authenticated PUT load, one goroutine can read while another writes the map, which causes the Go runtime to abort the process with `fatal error: concurren...References:
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.