CVE-2026-42082

Name of the Vulnerable Software and Affected Versions free5GC versions prior to 4.2.2

Description The Access and Mobility Management Function (AMF) in free5GC fails to enforce concurrent security procedure rules. Specifically, the AMF does not verify if an N2 handover procedure is ongoing before initiating a NAS Security Mode Command, and conversely, does not check for an ongoing NAS Security Mode Command before starting N2 procedures. This lack of synchronization can result in mismatches between the Non-Access Stratum (NAS) and Access Stratum (AS) security contexts in the network and the User Equipment (UE). Technical exploitation involves the SecurityMode() function in internal/gmm/sm.go and the handleHandoverRequiredMain() function in internal/ngap/handler.go, where required cross-procedure checks are missing.

Recommendations Update to version 4.2.2. As a temporary workaround, restrict the use of the SecurityMode() function and the handleHandoverRequiredMain() function to ensure they do not execute concurrently for the same UE.