CVE-2025-70121
Array Index Out-of-Bounds in free5GC AMF Causes DoS
Publication date: 2026-02-13
Last updated on: 2026-02-18
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | free5gc | 4.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-70121 is an array index out of bounds vulnerability in the Access and Mobility Management Function (AMF) component of Free5GC version 4.0.1. It occurs when the AMF processes a malformed 5GS Mobile Identity field within a NAS Registration Request message. Specifically, the vulnerability is in the GetSUCI method, which tries to access the sixth element (index 5) of an array that only contains five elements, causing a runtime panic and crashing the AMF.
An unauthenticated remote attacker can exploit this by sending a specially crafted InitialUEMessage over an SCTP connection to the AMF NGAP interface, triggering the out-of-bounds access and causing the AMF to crash.
How can this vulnerability impact me? :
Exploitation of this vulnerability results in a denial of service (DoS) condition for the entire 5G core network served by the affected AMF. The AMF crashes due to a runtime panic, disrupting network services and requiring manual intervention to restart the AMF service.
Because the attack requires no authentication and can be performed by any entity with basic SCTP/NGAP knowledge, it poses a significant risk of service disruption.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for crashes or runtime panics in the AMF service logs, specifically looking for error messages indicating an "index out of range [5] with length 5" originating from the GetSUCI method.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your network, you can monitor SCTP connections to the AMF NGAP interface (default port 38412) for unusual or malformed InitialUEMessage NAS Registration Request messages.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network packet capture tools such as tcpdump or tshark to filter SCTP traffic on port 38412 and analyze NAS messages for malformed 5GS Mobile Identity fields.'}, {'type': 'list_item', 'content': 'tcpdump -i <interface> port 38412 and sctp'}, {'type': 'list_item', 'content': 'tshark -i <interface> -Y "sctp.port == 38412" -V'}, {'type': 'paragraph', 'content': 'Additionally, reviewing AMF service logs for panic or crash messages can help confirm if the vulnerability has been triggered.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the AMF NGAP interface (default port 38412) to trusted and authenticated network entities only, to prevent unauthenticated attackers from sending malicious InitialUEMessage requests.
Implement network-level filtering or firewall rules to block or limit SCTP traffic to the AMF from untrusted sources.
Monitor the AMF service for crashes and be prepared to manually restart the service if a denial of service occurs.
Apply patches or updates from the Free5GC project that address this vulnerability by adding proper bounds checking and input validation in the GetSUCI method.