SCA: security update for github.com/free5gc/ausf (GHSA-4jrw-92fg-4jwx)

high Tenable Cloud Security Plugin ID 438994

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- free5GC is an open source 5G core network. free5GC AUSF prior to version 1.4.2 has is an Improper Null
Check vulnerability leading to Denial of Service. All deployments of free5GC v4.0.1 using the AUSF UE
authentication service (`/nausf-auth/v1/ue-authentications` endpoint) are affected. A remote attacker can
cause the AUSF service to panic and crash by sending a crafted UE authentication request that triggers a
nil interface conversion in the `GetSupiFromSuciSupiMap` function. This results in complete denial of
service for the AUSF authentication service. The `GetSupiFromSuciSupiMap` function attempts to perform an
interface conversion from `interface{}` to `*context.SuciSupiMap` without checking if the underlying value
is nil. When `SuciSupiMap` is nil, the code panics with "interface conversion: interface {} is nil, not
*context.SuciSupiMap". free5GC AUSF version 1.4.2 patches the issue. There is no direct workaround at the
application level. The recommendation is to apply the provided patch or restrict access to the AUSF API to
trusted sources only. (CVE-2026-33063)

Solution

Update the github.com/free5gc/ausf library and its related packages to version 1.4.2 or later.

See Also

https://github.com/advisories/GHSA-4jrw-92fg-4jwx

Plugin Details

Severity: High

ID: 438994

Version: Revision 1.13

Type: Local

Family: SCA Checks

Published: 3/19/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-33063

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 6.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/18/2026

Vulnerability Publication Date: 3/18/2026

Reference Information

CVE: CVE-2026-33063

cwe: CWE-476