CVE-2026-4531
Denial of Service in Free5GC AMF HandleRegistrationComplete Function
Publication date: 2026-03-22
Last updated on: 2026-03-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | free5gc | 4.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-4531 is a vulnerability in the Free5GC 4.1.0 software, specifically in the Access and Mobility Management Function (AMF) component's HandleRegistrationComplete function within the GMM handler. The issue occurs when the AMF receives an out-of-sequence NAS Registration Complete message prematurely during the UE registration procedure, before the expected Identity Response is received."}, {'type': 'paragraph', 'content': 'Due to missing state validation and defensive checks, the AMF attempts to process this unexpected message, which leads to a runtime panic caused by a nil pointer dereference. This causes the AMF process to crash, resulting in a denial of service.'}, {'type': 'paragraph', 'content': 'The patch fixes this by adding a guard clause that checks if the T3550 timer is running before processing the Registration Complete message. If the timer is not active, the function returns an error instead of continuing, preventing the crash.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) condition in the Free5GC AMF component by crashing the AMF process when it receives an out-of-sequence NAS Registration Complete message.
Since the AMF is critical in managing user equipment registration and mobility in 5G core networks, a crash can disrupt network operations, leading to service interruptions for users.
An attacker could exploit this remotely by sending manipulated NAS messages to trigger the crash, potentially causing network instability or outages.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the behavior of the free5GC AMF component, specifically looking for crashes or denial of service conditions triggered by out-of-sequence NAS messages during the UE registration procedure.
Detection involves checking logs for runtime panics or errors related to the HandleRegistrationComplete function in the AMF, especially after receiving unexpected NAS Registration Complete messages before the Identity Response step.
While no explicit commands are provided in the resources, typical detection steps include:
- Reviewing AMF logs for panic stack traces referencing BuildIEMobilityRestrictionList or HandleRegistrationComplete.
- Using network packet capture tools (e.g., tcpdump or Wireshark) to identify out-of-sequence NAS messages such as premature NAS Registration Complete messages.
- Monitoring the AMF process status to detect unexpected crashes or restarts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to apply the patch that fixes this vulnerability in the free5GC AMF component.
This patch adds a guard clause in the HandleRegistrationComplete function to ensure that the T3550 timer is running before processing a Registration Complete message, preventing the denial of service condition.
It is best practice to update free5GC to include the commit identified by hash 52e9386401ce56ea773c5aa587d4cdf7d53da799 or later, which contains the fix.
Additionally, monitoring and logging unexpected NAS message sequences can help detect attempts to exploit this vulnerability.