CVE-2026-41136: free5GC AMF: Missing default case in Content-Type switch in HTTPUEContextTransfer

April 22, 2026 (updated April 27, 2026)

The HTTPUEContextTransfer handler in internal/sbi/api_communication.go does not include a default case in the Content-Type switch statement. When a request arrives with an unsupported Content-Type, the deserialization step is silently skipped, err remains nil, and the processor is invoked with a completely uninitialized UeContextTransferRequest object.

References

github.com/advisories/GHSA-r99v-75p9-xqm5
github.com/free5gc/amf/releases/tag/v1.4.3
github.com/free5gc/free5gc
github.com/free5gc/free5gc/security/advisories/GHSA-r99v-75p9-xqm5
nvd.nist.gov/vuln/detail/CVE-2026-41136

Code Behaviors & Features

Detect and mitigate CVE-2026-41136 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →