Unrestricted Resource Consumption in Go (Gin) [Month Year] [CVE-2026-41135]

The CVE-2026-41135 disclosure describes an Unrestricted Resource Consumption vulnerability affecting free5GC's PCF UDR component. Versions prior to 1.4.3 allowed an unauthenticated attacker with network access to the PCF SBI interface to drive memory growth by repeatedly sending HTTP requests to the OAM endpoint. The root cause was a router.Use() call inside an HTTP handler that registers a new CORS middleware on every incoming request, permanently expanding Gin's router handler chain. This unbounded growth leads to progressive memory exhaustion and Denial of Service of the PCF, preventing 5G session establishment. Version 1.4.3 contains the patch that prevents this pattern by eliminating per-request middleware registration. CWE-400 is the relevant weakness class here. In Go using the Gin framework, this class of vulnerability manifests when a handler mutates the global router by calling Use inside a request handler. Each request appends a new middleware to the chain, so subsequent requests run through an ever-growing set of handlers. This causes escalating memory usage, increased GC pressure, and eventual server instability or crash under load, effectively enabling DoS against endpoints like the OAM interface. The same underlying issue applies to any per-request middleware attachment that expands the router's immutable handler chain over time. Remediation focuses on ensuring middleware is registered only once at startup, or in a strictly controlled, idempotent manner. Do not mutate the router's middleware chain in response to client requests. Prefer static configuration, route groups, and pre-derived middleware instances that do not grow with traffic. After applying fixes, validate with load/memory tests and memory profiling to confirm no growth in the middleware chain over time.