Executive Summary

The vulnerability CVE-2026-42081 affects the Free5GC AMF (Access and Mobility Management Function) versions up to 4.2.1. It occurs because the AMF does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as required by 3GPP TS 33.501 §6.7.3.1.

A malicious gNB can exploit this by sending a PathSwitchRequest message with arbitrary UE Security Capabilities, which the AMF then overwrites without validation. These corrupted values are propagated in PathSwitchRequestAcknowledge and subsequent HandoverRequest messages.

This leads to persistent handover denial-of-service for affected UEs because the AMF uses invalid security capabilities during handover procedures.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause persistent denial-of-service (DoS) for user equipment (UE) during handover procedures in the 5G network.

Specifically, a malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, which disrupts the handover process and prevents affected UEs from successfully switching between cells.

The impact affects availability (high) and integrity (low) of the network service, potentially leading to degraded user experience and service interruptions.

Any deployment using Free5GC as the AMF with potentially untrusted gNBs is vulnerable to this issue.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the AMF in Free5GC failing to verify UE Security Capabilities in NGAP PathSwitchRequest messages, allowing a malicious gNB to overwrite stored values. Detection would involve monitoring NGAP PathSwitchRequest messages for unexpected or arbitrary UE Security Capability values that differ from locally stored values.

Since the root cause is in the `handlePathSwitchRequestMain` function in the Free5GC AMF code, inspecting logs or traces related to this function may help identify suspicious activity.

Specific commands are not provided in the available resources, but network administrators could use packet capture tools (e.g., tcpdump or Wireshark) to filter NGAP PathSwitchRequest messages and compare UE Security Capabilities against expected values.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves ensuring that the Free5GC AMF version in use is updated to 4.2.2 or later, where this vulnerability is fixed.

Until an update is applied, restrict or verify the trustworthiness of gNBs connected to the AMF to prevent malicious PathSwitchRequest messages from untrusted sources.

Monitoring and alerting on anomalous NGAP PathSwitchRequest messages may also help mitigate the impact.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability involves the Free5GC AMF failing to verify UE Security Capabilities as mandated by 3GPP TS 33.501 §6.7.3.1, allowing a malicious gNB to overwrite stored security capabilities. This leads to persistent handover denial-of-service affecting availability and integrity.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the integrity and availability impacts could indirectly affect compliance. For example, denial-of-service and integrity issues in network functions may hinder the protection of personal data or availability of services required under such regulations.

However, there is no direct information provided about specific compliance violations or regulatory impacts related to this vulnerability.

Useful 0 Not Useful 0