Can you explain this vulnerability to me?

CVE-2026-30079 is an authentication bypass vulnerability in OpenAirInterface (OAI) AMF version 2.2.0. It occurs because the AMF incorrectly handles out-of-sequence NGAP messages during the UE registration procedure.

Specifically, if a SecurityModeComplete message is sent after the InitialUERegistration message, the AMF processes these messages incorrectly, resulting in a registration reject followed by a registration accept. This flawed state machine logic causes the UE to be registered without proper authentication.

The root cause is that the AMF GMM state machine fails to detect and discard out-of-sequence messages, allowing inappropriate state transitions and bypassing the authentication step.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows an adversary to bypass authentication during the UE registration procedure in OpenAirInterface AMF v2.2.0. By bypassing authentication, unauthorized users could gain access to the network, potentially leading to unauthorized access to personal or sensitive data.

Such unauthorized access could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information. Failure to properly authenticate users may result in violations of these regulations due to potential data breaches or unauthorized data processing.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows an attacker to bypass the authentication process during UE registration in the affected OpenAirInterface AMF.

As a result, unauthorized devices could register on the network without proper verification, potentially leading to unauthorized access, data interception, or other malicious activities within the network.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring the sequence of NGAP messages during the UE registration procedure in OpenAirInterface AMF version 2.2.0. Specifically, look for out-of-sequence messages such as a SecurityModeComplete message arriving after the InitialUERegistration message.

Logs should be inspected for the presence of a SecurityModeComplete (message 94) received during an ongoing registration procedure, followed by a RegistrationReject message and then a RegistrationAccept message, which indicates the authentication bypass.

Commands to detect this might include capturing and analyzing NGAP messages using network packet capture tools (e.g., tcpdump or Wireshark) on the interface between the UE and AMF, filtering for NGAP messages, and checking the order of messages.

• Use tcpdump to capture NGAP messages: tcpdump -i <interface> -w capture.pcap port 38412
• Analyze the capture with Wireshark, filter for NGAP messages, and verify the sequence of InitialUERegistration and SecurityModeComplete messages.
• Check AMF logs for unexpected SecurityModeComplete messages during registration and subsequent RegistrationReject followed by RegistrationAccept messages.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include ensuring that the AMF properly detects and discards out-of-sequence NGAP messages during the UE registration procedure to prevent incorrect state transitions.

Since the vulnerability arises from the AMF GMM state machine failing to handle message sequences correctly, updating or patching the OpenAirInterface AMF to a version where this issue is fixed is recommended.

If an update is not immediately available, consider implementing network-level controls to detect and block suspicious or out-of-sequence NGAP messages, or restrict access to the AMF to trusted entities only.

Useful 0 Not Useful 0