CVE-2026-41136
Deserialization Bypass in free5GC AMF Causes Uninitialized Requests
Publication date: 2026-04-22
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | free5gc | to 4.2.1 (inc) |
| free5gc | amf | to 1.4.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-440 | A feature, API, or function does not perform according to its specification. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in free5GC AMF, specifically in the HTTPUEContextTransfer handler before version 1.4.3. The handler's code does not include a default case in the Content-Type switch statement. As a result, when a request with an unsupported Content-Type is received, the deserialization step is skipped silently without error, causing the processor to operate on an uninitialized UeContextTransferRequest object.
How can this vulnerability impact me? :
This vulnerability can lead to the processing of uninitialized data within the AMF component of free5GC. This may cause unexpected behavior or errors in the 5G core network functions that rely on properly deserialized user context data, potentially impacting network reliability or security.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade free5GC AMF to version 1.4.3 or later, which contains the fix for the issue in the HTTPUEContextTransfer handler.