free5GC is an open-source implementation of the 5G core network
free5GC's AMF component, prior to version 4.2.2, does not verify UE Security Capabilities received during a handover procedure against its stored values. A malicious gNB can exploit this to overwrite the AMF's security capabilities, leading to persistent denial-of-service for UEs during handovers. This vulnerability is fixed in version 4.2.2.
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, which are then propagated in PathSwitchRequest Acknowledge messages and subsequent Handover Request messages. This leads to persistent handover denial-of-service for affected UEs. This vulnerability is fixed in 4.2.2.
Users of free5GC prior to 4.2.2 are at medium risk of denial-of-service for UEs if a malicious gNB is present in the adjacent network.
Monitor & Review
Low severity — keep this CVE on your radar and patch during routine maintenance.
What should I do?
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
0
Affected Products
2
References
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
Exploitability
Impact