CVE-2026-42081

6.1 MEDIUM
Published: May 27, 2026 Modified: May 29, 2026
View on NVD

Description

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 ยง6.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, which are then propagated in PathSwitchRequest Acknowledge messages and subsequent Handover Request messages. This leads to persistent handover denial-of-service for affected UEs. This vulnerability is fixed in 4.2.2.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/free5gc/free5gc/security/advisories/GHSA-77x9-rf64-92gv
Source: security-advisories@github.com
Vendor Advisory Exploit
https://github.com/free5gc/free5gc/security/advisories/GHSA-77x9-rf64-92gv
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Vendor Advisory Exploit

2 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.1 / 10.0
EPSS (Exploit Probability)
0.2%
8th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-358

Affected Vendors

free5gc

Related CVEs

CVE-2026-48777 N/A
CVE-2026-47750 7.8
CVE-2026-47747 7.8
CVE-2026-46448 5.4
CVE-2026-22313 9.1