Medium severity6.1GHSA Advisory· Published May 27, 2026· Updated May 29, 2026
CVE-2026-42081
CVE-2026-42081
Description
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, which are then propagated in PathSwitchRequest Acknowledge messages and subsequent Handover Request messages. This leads to persistent handover denial-of-service for affected UEs. This vulnerability is fixed in 4.2.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/free5gc/amfGo | <= 1.4.3 | — |
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-77x9-rf64-92gvghsaADVISORY
- github.com/free5gc/free5gc/security/advisories/GHSA-77x9-rf64-92gvnvdVendor AdvisoryExploitWEB
- nvd.nist.gov/vuln/detail/CVE-2026-42081ghsaADVISORY
News mentions
1- Free5gc 4.2.2: 20 CVEs Land in Single Disclosure — Missing Auth, Panics, and Protocol FlawsVypr Intelligence · May 27, 2026