CVE-2026-42081
free5GC: UE Security Capability bypass on NGAP PathSwitchRequest
CVSS Score
6.1
EPSS Score
0.0%
EPSS Percentile
0th
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 ยง6.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, which are then propagated in PathSwitchRequest Acknowledge messages and subsequent Handover Request messages. This leads to persistent handover denial-of-service for affected UEs. This vulnerability is fixed in 4.2.2.
| CWE | CWE-358 |
| Vendor | free5gc |
| Product | free5gc |
| Published | May 27, 2026 |
| Last Updated | May 27, 2026 |
Stay Ahead of the Next One
Get instant alerts for free5gc free5gc
Be the first to know when new medium vulnerabilities affecting free5gc free5gc are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
Low
Affected Versions
free5gc / free5gc
< 4.2.2