CVE-2026-42082
AMF NAS Security Context Mismatch in free5GC
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | free5gc | to 4.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-358 | The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in free5GC, an open-source 5G core network implementation, specifically in versions prior to 4.2.2. The Access and Mobility Management Function (AMF) does not enforce the concurrent security procedure rules as defined in the 3GPP TS 33.501 standard. It fails to check for ongoing N2 handover procedures before initiating a NAS Security Mode Command, and vice versa. This can cause mismatches between the Non-Access Stratum (NAS) and Access Stratum (AS) security contexts between the network and the User Equipment (UE).
How can this vulnerability impact me? :
This vulnerability can lead to inconsistencies in security contexts between the network and the user device, potentially weakening the security of communications. According to the CVSS score, it has a low to moderate impact with a base score of 3.7, indicating it may cause limited integrity and availability issues but does not affect confidentiality.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in free5GC version 4.2.2. To mitigate this vulnerability, you should upgrade your free5GC deployment to version 4.2.2 or later.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper handling of concurrent security procedures in Free5GC's AMF during NGAP handover operations, specifically the lack of checks for ongoing NAS Security Mode Command or N2 handover procedures before initiating the other.
Detection would require monitoring the AMF behavior for concurrent NAS Security Mode Command and N2 handover procedures that violate 3GPP TS 33.501 Β§6.9.5.1 rules.
Since the vulnerability is related to protocol state handling within Free5GC AMF, direct detection via simple network commands is not straightforward.
No specific detection commands or tools are provided in the available resources.
A practical approach might include enabling detailed logging on the Free5GC AMF component to observe NAS Security Mode Command and N2 handover procedure states and checking for overlapping or concurrent procedures.
Network packet captures focusing on NGAP messages could be analyzed to identify if NAS Security Mode Command and N2 handover procedures are initiated concurrently without proper checks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Free5GC's AMF involves non-compliance with the concurrent security procedure rules defined in 3GPP TS 33.501 Β§6.9.5.1, which is a telecommunications security standard.
This non-compliance can lead to mismatches between NAS and AS security contexts, potentially causing integrity issues and security verification failures.
However, there is no direct information provided about how this vulnerability impacts compliance with broader common standards and regulations such as GDPR or HIPAA.