CVE-2026-42081

Name of the Vulnerable Software and Affected Versions free5GC versions prior to 4.2.2

Description The Access and Mobility Management Function (AMF) in free5GC fails to verify UE Security Capabilities received in NGAP PathSwitchRequest messages against locally stored values. This occurs within the handlePathSwitchRequestMain() function located in amf/internal/ngap/handler.go. A malicious gNB can overwrite the stored UE security capabilities with arbitrary values, which are then propagated in PathSwitchRequest Acknowledge and subsequent Handover Request messages. This leads to a persistent handover denial-of-service for affected UEs, as target gNBs may reject the procedure if the corrupted algorithms do not match their configured allowed algorithms.

Recommendations Update to version 4.2.2. As a temporary workaround, restrict access to the handlePathSwitchRequestMain() function or the associated NGAP PathSwitchRequest processing to trusted gNBs only.