Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-4531 is a vulnerability in the Free5GC 4.1.0 software, specifically in the Access and Mobility Management Function (AMF) component's HandleRegistrationComplete function within the GMM handler. The issue occurs when the AMF receives an out-of-sequence NAS Registration Complete message prematurely during the UE registration procedure, before the expected Identity Response is received."}, {'type': 'paragraph', 'content': 'Due to missing state validation and defensive checks, the AMF attempts to process this unexpected message, which leads to a runtime panic caused by a nil pointer dereference. This causes the AMF process to crash, resulting in a denial of service.'}, {'type': 'paragraph', 'content': 'The patch fixes this by adding a guard clause that checks if the T3550 timer is running before processing the Registration Complete message. If the timer is not active, the function returns an error instead of continuing, preventing the crash.'}] [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service (DoS) condition in the Free5GC AMF component by crashing the AMF process when it receives an out-of-sequence NAS Registration Complete message.

Since the AMF is critical in managing user equipment registration and mobility in 5G core networks, a crash can disrupt network operations, leading to service interruptions for users.

An attacker could exploit this remotely by sending manipulated NAS messages to trigger the crash, potentially causing network instability or outages.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the behavior of the free5GC AMF component, specifically looking for crashes or denial of service conditions triggered by out-of-sequence NAS messages during the UE registration procedure.

Detection involves checking logs for runtime panics or errors related to the HandleRegistrationComplete function in the AMF, especially after receiving unexpected NAS Registration Complete messages before the Identity Response step.

While no explicit commands are provided in the resources, typical detection steps include:

• Reviewing AMF logs for panic stack traces referencing BuildIEMobilityRestrictionList or HandleRegistrationComplete.
• Using network packet capture tools (e.g., tcpdump or Wireshark) to identify out-of-sequence NAS messages such as premature NAS Registration Complete messages.
• Monitoring the AMF process status to detect unexpected crashes or restarts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to apply the patch that fixes this vulnerability in the free5GC AMF component.

This patch adds a guard clause in the HandleRegistrationComplete function to ensure that the T3550 timer is running before processing a Registration Complete message, preventing the denial of service condition.

It is best practice to update free5GC to include the commit identified by hash 52e9386401ce56ea773c5aa587d4cdf7d53da799 or later, which contains the fix.

Additionally, monitoring and logging unexpected NAS message sequences can help detect attempts to exploit this vulnerability.

Useful 0 Not Useful 0