CVE-2026-42081

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, which are then propagated in PathSwitchRequest Acknowledge messages and subsequent Handover Request messages. This leads to persistent handover denial-of-service for affected UEs. This vulnerability is fixed in 4.2.2.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/free5gc/free5gc/security/advisories/GHSA-77x9-rf64-92gv	Vendor Advisory Exploit
https://github.com/free5gc/free5gc/security/advisories/GHSA-77x9-rf64-92gv	Vendor Advisory Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*

History

29 May 2026, 19:24

Type	Values Removed	Values Added
First Time		Free5gc free5gc Free5gc
CPE		cpe:2.3:a:free5gc:free5gc::::::::
References	~~() https://github.com/free5gc/free5gc/security/advisories/GHSA-77x9-rf64-92gv -~~	() https://github.com/free5gc/free5gc/security/advisories/GHSA-77x9-rf64-92gv - Vendor Advisory, Exploit

27 May 2026, 19:16

Type	Values Removed	Values Added
References	~~() https://github.com/free5gc/free5gc/security/advisories/GHSA-77x9-rf64-92gv -~~	() https://github.com/free5gc/free5gc/security/advisories/GHSA-77x9-rf64-92gv -

27 May 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-27 17:16

Updated : 2026-05-29 19:24

NVD link : CVE-2026-42081

Mitre link : CVE-2026-42081

CVE.ORG link : CVE-2026-42081

JSON object : View

Products Affected

free5gc

free5gc

CWE

CWE-358

Improperly Implemented Security Check for Standard

{"id": "CVE-2026-42081", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2026-05-27T17:16:34.967", "references": [{"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-77x9-rf64-92gv", "tags": ["Vendor Advisory", "Exploit"], "source": "security-advisories@github.com"}, {"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-77x9-rf64-92gv", "tags": ["Vendor Advisory", "Exploit"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-358"}]}], "descriptions": [{"lang": "en", "value": "free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 \u00a76.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, which are then propagated in PathSwitchRequest Acknowledge messages and subsequent Handover Request messages. This leads to persistent handover denial-of-service for affected UEs. This vulnerability is fixed in 4.2.2."}], "lastModified": "2026-05-29T19:24:54.783", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:free5gc:free5gc:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EF7EBB95-EB4E-44C5-BF0A-9C99B0A7775F", "versionEndExcluding": "4.2.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}