Executive Summary

CVE-2026-5661 is a vulnerability in free5GC version 4.2.0 affecting the NGSetupRequest Handler component. The issue arises when the NGSetupRequest message contains a <Criticality> element set to "Ignore." In this case, the system incorrectly sends two conflicting responses: a success response followed by a failure response. This behavior causes ambiguity and can desynchronize the client state, making it unclear which response should be considered authoritative.

The vulnerability is due to improper handling of Information Elements (IEs) during the NGSetup procedure, specifically when unrecognized IEs with criticality "notify" are processed. This leads to errors and multiple SCTP read timeouts after responses are sent. The expected behavior is to handle the <Criticality> element correctly without producing multiple responses, ensuring consistent client-server synchronization.

Useful 0 Not Useful 0

Compliance Impact

The CVE-2026-5661 vulnerability causes the free5GC AMF to send conflicting NGSetup responses (both success and failure) when handling NGSetupRequest messages with the <Criticality> element set to "Ignore." This leads to client desynchronization and protocol ambiguity.

However, there is no information provided in the available context or resources about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition in the affected free5GC system. Because the system sends conflicting success and failure responses to an NGSetupRequest with criticality set to Ignore, the client and server can become desynchronized. This desynchronization can disrupt normal communication and operation of the 5G core network functions relying on the NGSetup procedure.

An attacker can remotely exploit this vulnerability by sending specially crafted NGSetupRequest messages, potentially causing service interruptions or degraded network performance. The exploit is publicly available, increasing the risk of exploitation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the AMF logs for abnormal NGSetupRequest handling behavior, specifically when the <Criticality> element is set to "Ignore." Indicators include the AMF sending two conflicting responses: an NGSetupSuccess followed by an NGSetupFailure message, which causes client desynchronization.

Detection involves capturing and analyzing NGSetupRequest messages on the SCTP port 38412 used by free5GC's NGAP protocol. Look for NGSetupRequest messages with the <Criticality> field set to "Ignore" and observe if the system responds with both success and failure messages.

Suggested commands to detect this behavior include:

• Use tcpdump or tshark to capture NGAP traffic on SCTP port 38412: tcpdump -i <interface> port 38412 -w capture.pcap
• Analyze the capture with Wireshark or tshark to filter NGSetupRequest messages and inspect the <Criticality> element.
• Check AMF logs for warnings about unrecognized Information Elements (IEs) with criticality "notify" and for the presence of both NGSetupSuccess and NGSetupFailure responses following a single NGSetupRequest.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves applying the fix that correctly handles not comprehended Information Elements (IEs) with criticality "notify" in the NGSetupRequest handler to prevent sending conflicting responses.

This fix is available as a patch in the free5GC AMF component, which addresses the improper handling of the <Criticality> element and prevents the denial of service condition.

Additional steps include:

• Update free5GC to a version that includes the fix from the pull request addressing this issue (e.g., the PR merged in March 2026).
• Monitor and restrict NGSetupRequest messages with criticality set to "Ignore" if possible, to reduce exposure.
• Ensure detailed logging is enabled on the AMF to detect any attempts to exploit this vulnerability.

Useful 0 Not Useful 0