CVE-2026-10565

A security flaw has been discovered in Open5GS up to 2.7.6. The impacted element is the function gmmstatesecuritymode of the file src/amf/gmm-sm.c of the component NGAP Handover. Performing a manipulation results in race condition. The attack can be initiated remotely. The complexity of an attack...

CVE-2026-44474

Ella Core is a 5G core designed for private networks. Prior to 1.10.0, Ella Core didn't enforce security rules on concurrent running of security procedures defined in TS 33.501 §6.9.5.1 — it could send a NAS Security Mode Command while an N2 handover was still pending and vice versa. Concurrent...

CVE-2026-42082 free5GC: Missing Concurrent NAS SMC Validation During NGAP Handover

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not enforce the concurrent security procedure rules defined in 3GPP TS 33.501 §6.9.5.1. The AMF does not check for ongoing N2 handover procedures before initiating a NAS Security Mode Command,...

PT-2026-29708

Name of the Vulnerable Software and Affected Versions Ella Core versions prior to 1.8.0 Description Ella Core experiences a panic when processing a NGAP handover failure message. An attacker capable of triggering a gNodeB to send NGAP handover failure messages to Ella Core can cause a process...

CVE-2022-33250

Transient DOS due to reachable assertion in modem when network repeatedly sent invalid message container for NR to LTE handover...

Design/Logic Flaw

Transient DOS due to reachable assertion in modem when network repeatedly sent invalid message container for NR to LTE handover...