Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not enforce the concurrent security procedure rules defined in 3GPP TS 33.501 §6.9.5.1. The AMF does not check for ongoing N2 handover procedures before initiating a NAS Security Mode Command, and vice versa. This can lead to mismatches between NAS and AS security contexts in the network and the UE. This vulnerability is fixed in 4.2.2.
Published: 2026-05-27
Score: 3.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because the AMF in free5gc does not enforce the concurrent security procedure rules defined in 3GPP TS 33.501 §6.9.5.1. While a Network‑to‑Node B handover is in progress, an attacker could trigger a NAS Security Mode Command, or vice versa, without the AMF verifying that the other security procedure is not active. This oversight can cause the NAS and Authentication Server (AS) security contexts to diverge for the same user equipment, potentially weakening the cryptographic protection of GTP bearer traffic and undermining the integrity and confidentiality guarantees of the session.

Affected Systems

Affected systems are installations of the free5gc open‑source 5G core network, specifically the AMF component. Versions prior to 4.2.2 are vulnerable; the fix is included in free5gc 4.2.2 and later releases.

Risk and Exploitability

With a CVSS score of 3.7, the vulnerability is classified as low severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. The attack vector is inferred to be internal or in‑network, requiring an adversary with the ability to initiate or influence NGAP handover procedures within a free5gc deployment. Given the limited public exploitation evidence, the practical risk is moderate, but the mismatched security contexts could still be leveraged by a determined attacker to degrade session security.

Generated by OpenCVE AI on May 27, 2026 at 21:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade free5gc to version 4.2.2 or later, which implements concurrent security procedure enforcement.
  • Verify that AMF configuration does not disable or bypass security context checks for ongoing handovers.
  • Monitor AMF logs for instances of simultaneous NAS Security Mode Commands and NGAP handover events, and investigate any anomalies.

Generated by OpenCVE AI on May 27, 2026 at 21:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vrrx-58h3-prmh Free5GC AMF has Missing Concurrent NAS SMC Validation During NGAP Handover
History

Thu, 28 May 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Free5gc
Free5gc free5gc
Vendors & Products Free5gc
Free5gc free5gc

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not enforce the concurrent security procedure rules defined in 3GPP TS 33.501 §6.9.5.1. The AMF does not check for ongoing N2 handover procedures before initiating a NAS Security Mode Command, and vice versa. This can lead to mismatches between NAS and AS security contexts in the network and the UE. This vulnerability is fixed in 4.2.2.
Title free5GC: Missing Concurrent NAS SMC Validation During NGAP Handover
Weaknesses CWE-358
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Free5gc Free5gc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T15:59:21.228Z

Reserved: 2026-04-23T19:17:30.565Z

Link: CVE-2026-42082

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-27T17:16:35.180

Modified: 2026-05-27T19:51:27.110

Link: CVE-2026-42082

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T02:15:03Z

Weaknesses