CVE-2026-42081 free5gc CVE debrief

Who should care

Telecommunications operators deploying free5GC-based 5G core networks, mobile network security engineers, and organizations managing private 5G infrastructure using free5GC components

Technical summary

The free5GC AMF component prior to 4.2.2 improperly handles UE Security Capabilities in NGAP PathSwitchRequest messages. Per 3GPP TS 33.501 §6.7.3.1, the AMF must verify received capabilities against stored values; this verification is absent. A malicious gNodeB can inject arbitrary security capability values that persist in the AMF's state and propagate to subsequent signaling messages (PathSwitchRequest Acknowledge, Handover Request). This causes affected UEs to experience persistent handover failures, constituting a denial-of-service condition. The attack requires adjacent network access (AV:A) but no privileges or user interaction. The vulnerability is classified under CWE-358 and carries a CVSS 3.1 score of 6.1 (Medium).

Defensive priority

medium

Recommended defensive actions

• Upgrade free5GC to version 4.2.2 or later to obtain the security fix
• Review AMF configuration to ensure NGAP message validation policies are enforced
• Monitor for anomalous handover failures or UE mobility disruptions that may indicate exploitation
• Validate gNodeB trust boundaries and implement network segmentation where possible
• Audit UE security capability records for inconsistencies following any suspected compromise

Evidence notes

Vulnerability disclosed via GitHub Security Advisory and indexed by NVD. CVSS 3.1 vector AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L yields score 6.1 (Medium). CWE-358 (Improperly Implemented Security Check for Standard) classified. Fix confirmed in free5GC 4.2.2.

Official resources