CVE-2026-42081: Free5GC AMF Bypasses UE Security Capabilities on NGAP PathSwitchRequest

May 7, 2026

The AMF in Free5GC v4.2.1 does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the AMF’s stored UE security capabilities with arbitrary values, which are then propagated in PathSwitchRequest Acknowledge messages and subsequent Handover Request messages. This leads to persistent handover denial-of-service for affected UEs.

References

github.com/advisories/GHSA-77x9-rf64-92gv
github.com/free5gc/amf/blame/v1.4.3/internal/ngap/handler.go
github.com/free5gc/free5gc
github.com/free5gc/free5gc/security/advisories/GHSA-77x9-rf64-92gv
nvd.nist.gov/vuln/detail/CVE-2026-42081

Code Behaviors & Features

Detect and mitigate CVE-2026-42081 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →