Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, which are then propagated in PathSwitchRequest Acknowledge messages and subsequent Handover Request messages. This leads to persistent handover denial-of-service for affected UEs. This vulnerability is fixed in 4.2.2.
Published: 2026-05-27
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

free5GC does not verify UE Security Capabilities in NGAP PathSwitchRequest messages, allowing a malicious gNB to overwrite the AMF's stored capabilities. This flaw propagates incorrect security settings through PathSwitchRequest Acknowledge and subsequent Handover Request messages, causing persistent handover denial‑of‑service for affected UEs.

Affected Systems

The affected product is the free5gc open‑source 5G core network implementation. Versions prior to 4.2.2 of the AMF contain the flaw; the issue is addressed in release 4.2.2.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity vulnerability, and the EPSS score is not available. It is not listed in the CISA KEV catalog. Likely exploitation requires a gNB within the same network to send forged NGAP PathSwitchRequest messages to the AMF. The attacker must have control over a gNB or compromise a legitimate network element, and then send crafted messages. Persistence of the denial‑of‑service comes from repeated handover attempts that repeatedly contain the tampered capabilities, which the AMF will forward to other network nodes.

Generated by OpenCVE AI on May 27, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade free5gc to version 4.2.2 or later to apply the vendor fix.
  • Ensure AMF configuration enforces UE Security Capability verification and audit custom handlers for compliance with 3GPP TS 33.501.
  • Monitor PathSwitchRequest, PathSwitchRequest Acknowledge, and Handover Request traffic for anomalies; isolate or block gNBs that send non‑conforming messages to protect UEs from service disruption.

Generated by OpenCVE AI on May 27, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-77x9-rf64-92gv Free5GC AMF Bypasses UE Security Capabilities on NGAP PathSwitchRequest
History

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, which are then propagated in PathSwitchRequest Acknowledge messages and subsequent Handover Request messages. This leads to persistent handover denial-of-service for affected UEs. This vulnerability is fixed in 4.2.2.
Title free5GC: UE Security Capability bypass on NGAP PathSwitchRequest
Weaknesses CWE-358
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T17:56:05.721Z

Reserved: 2026-04-23T19:17:30.565Z

Link: CVE-2026-42081

cve-icon Vulnrichment

Updated: 2026-05-27T17:56:00.127Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-27T17:16:34.967

Modified: 2026-05-27T19:51:27.110

Link: CVE-2026-42081

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:30:35Z

Weaknesses