CVE-2026-30080
Security Mode Downgrade in OpenAirInterface v2.2.0 Enables Replay Attack
Publication date: 2026-04-08
Last updated on: 2026-04-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openairinterface | oai-cn5g-amf | 2.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-294 | A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30080 is a security vulnerability in OpenAirInterface (OAI) version 2.2.0's Access and Mobility Management Function (AMF). The AMF improperly accepts a Security Mode Complete message without enforcing integrity protection when a User Equipment (UE) indicates support only for the IA0 integrity algorithm, which means no integrity protection.
Although the AMF is configured to support stronger integrity algorithms (NIA1 and NIA2), it erroneously proceeds with registration requests from UEs that advertise only IA0. This behavior violates the 5G specification, which requires rejecting such requests because IA0 provides no integrity protection.
As a result, the AMF accepts messages with zero Message Authentication Code (MAC) fields and continues the registration process, allowing a downgrade of the security context. This flaw can be exploited to perform replay attacks.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to downgrade the security context of a 5G registration process to one without integrity protection.
Because the AMF accepts registration requests from UEs that support only the IA0 algorithm (which provides no integrity), an attacker could exploit this to replay previously captured messages.
Replay attacks can lead to unauthorized access, session hijacking, or other malicious activities by reusing valid messages, potentially compromising the security and integrity of the 5G network communications.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the Access and Mobility Management Function (AMF) logs for acceptance of Security Mode Complete messages without integrity protection, specifically when the User Equipment (UE) indicates support only for the IA0 integrity algorithm (no integrity).
Detection involves checking if the AMF accepts initial registration requests from UEs that advertise only IA0, despite the AMF configuration supporting only NIA1 and NIA2.
A practical approach is to capture and analyze NGAP and NAS message exchanges, looking for sequences where:
- InitialUEMessage contains UE Security Capability IE indicating IA0 only (0x70).
- Security Mode Complete messages are accepted with a zero MAC field (no integrity).
- Despite the AMF configuration disallowing IA0, the registration proceeds instead of being rejected.
Commands to assist detection could include using packet capture tools (e.g., tcpdump or Wireshark) to filter and inspect NGAP and NAS messages between UE and AMF, for example:
- tcpdump -i <interface> -w capture.pcap port 38412 # Capture NGAP messages over SCTP
- Use Wireshark to decode NGAP and NAS messages and check the UE Security Capability IE and MAC fields in Security Mode Complete messages.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves configuring the AMF to strictly enforce integrity protection by rejecting any initial registration requests from UEs that indicate support only for the IA0 (no integrity) algorithm.
Specifically, the AMF should be updated or configured to:
- Reject registration requests during the initial Registration Request phase if the UE supports only IA0.
- Verify the MAC field in Security Mode Complete messages to ensure integrity protection is present and valid.
- Prevent progression of registration if integrity checks fail or if IA0 is indicated.
If a patch or updated version of OpenAirInterface AMF is available that addresses this issue, applying it promptly is recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in OpenAirInterface v2.2.0 allows acceptance of Security Mode Complete messages without integrity protection, enabling a downgrade to no-integrity (IA0) security context. This behavior violates the 5G security specifications, which mandate rejection of such requests to ensure message integrity.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the acceptance of unprotected messages and potential for replay attacks could lead to unauthorized access or manipulation of user data, which may impact compliance with data protection regulations that require ensuring data integrity and confidentiality.
Therefore, this vulnerability could indirectly affect compliance with common standards and regulations by undermining the security guarantees necessary to protect personal and sensitive data.