Description
OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade security context can lead to the possibility of replay attack.
Published: 2026-04-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Replay Attack via IA0 downgrade
Action: Apply Patch
AI Analysis

Impact

OpenAirInterface version 2.2.0 accepts Security Mode Complete messages that declare no integrity protection when a network element receives a device capability of IA0. By allowing this insecure context the system can be coerced into accepting messages without integrity, which in turn permits an attacker to capture and later replay legitimate traffic, undermining data integrity.

Affected Systems

The weakness specifically affects the OpenAirInterface implementation, version 2.2.0. Systems running this version are at risk if they allow devices that advertise only IA0 capability during registration. No proprietary vendor is listed, as the project is open source.

Risk and Exploitability

The vulnerability carries a high severity score of 7.5 and is considered unlikely to be widely exploited at present. It is not listed in the known exploited vulnerabilities catalog. An attacker would need network access to the 5G core and control or spoof a device that can send a registration request with IA0. Once the system accepts the request it will proceed without integrity checks, allowing replay of previously captured frames over the air interface.

Generated by OpenCVE AI on April 9, 2026 at 23:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenAirInterface to the latest patched release when it becomes available.
  • If a patch is not yet available, reconfigure the system to reject Security Mode Complete messages that specify IA0 or limit device capabilities to secure algorithms such as NIA1 and NIA2.
  • Continuously monitor registration traffic for abnormal or repeated IA0 capability requests.
  • Stay informed of vendor advisories or security notices regarding this issue.

Generated by OpenCVE AI on April 9, 2026 at 23:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Title OpenAirInterface 2.2.0 Security Mode Complete Accepts IA0 Leading to Replay Attack
Weaknesses CWE-290
CWE-322

Thu, 09 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-294
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Openairinterface
Openairinterface oai-cn5g-amf
Vendors & Products Openairinterface
Openairinterface oai-cn5g-amf

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title OpenAirInterface 2.2.0 Security Mode Complete Accepts IA0 Leading to Replay Attack
Weaknesses CWE-290
CWE-322

Wed, 08 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade security context can lead to the possibility of replay attack.
References

Subscriptions

Openairinterface Oai-cn5g-amf
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-09T20:45:42.267Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30080

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-08T17:21:18.623

Modified: 2026-04-09T21:16:07.767

Link: CVE-2026-30080

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:41:13Z

Weaknesses