CVE-2026-42081

Published: May 27, 2026

Modified: May 27, 2026

PUBLISHED

CVSS v3.1

6.1

MEDIUM

Description

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, which are then propagated in PathSwitchRequest Acknowledge messages and subsequent Handover Request messages. This leads to persistent handover denial-of-service for affected UEs. This vulnerability is fixed in 4.2.2.

Vendor	Product	Versions
free5gc	free5gc	affected `< 4.2.2`

Weaknesses (CWE)

CWE-358

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

Low

References

https://github.com/free5gc/free5gc/security/advisories/GHSA-77x9-rf64-92gv

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-42081

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References