39 matches found
PT-2026-42876
A vulnerability was detected in omec-project amf up to 2.1.1. Affected by this vulnerability is an unknown functionality of the component PathSwitchRequest Handler. The manipulation results in memory corruption. The attack may be launched remotely. The exploit is now public and may be used. It is...
amf 缓冲区错误漏洞
AMF is an open-source library under Apache License, developed by Free5GC. Versions of AMF prior to 2.1.1 contain a buffer error vulnerability, which stems from unknown features of the PathSwitchRequest handler. This vulnerability may lead to memory corruption...
Improperly Implemented Security Check for Standard
Overview Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard due to improper verification of UE Security Capabilities in the PathSwitchRequest messages. An attacker can alter stored security capabilities for any user equipment by sending a crafte...
GHSA-PWFH-MQP3-PQWJ Ella Core has a UE Security Capability bypass on NGAP PathSwitchRequest
Summary Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest...
Ella Core has a UE Security Capability bypass on NGAP PathSwitchRequest
Summary Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest...
PT-2026-39669
Name of the Vulnerable Software and Affected Versions Ella Core versions prior to 1.10.0 Description Ella Core, a 5G core for private networks, fails to verify UE Security Capabilities received in NGAP 'PathSwitchRequest' messages against locally stored values. This allows a malicious gNB to...
Free5GC AMF Bypasses UE Security Capabilities on NGAP PathSwitchRequest
Summary The AMF in Free5GC v4.2.1 does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, whic...
Improperly Implemented Security Check for Standard
Overview Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard in the handlePathSwitchRequestMain function. An attacker can cause persistent service disruption and corrupt internal security context by sending a crafted PathSwitchRequest message fro...
GHSA-77X9-RF64-92GV Free5GC AMF Bypasses UE Security Capabilities on NGAP PathSwitchRequest
Summary The AMF in Free5GC v4.2.1 does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, whic...
PT-2026-38366
Name of the Vulnerable Software and Affected Versions free5GC versions prior to 4.2.2 Description The Access and Mobility Management Function AMF in free5GC fails to verify UE Security Capabilities received in NGAP PathSwitchRequest messages against locally stored values. This occurs within the...
CVE-2026-32320
Ella Core is a 5G core designed for private networks. Prior to 1.5.1, Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service. An attacker able to send...
GO-2026-4691 Ella Core: AMF DoS via malformed PathSwitchRequest with empty NR security capability bitstrings in github.com/ellanetworks/core
Ella Core: AMF DoS via malformed PathSwitchRequest with empty NR security capability bitstrings in github.com/ellanetworks/core...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read through the processing of a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings. An attacker can cause the process to crash and disrupt...
CVE-2026-32320 Ella Core: AMF DoS via malformed PathSwitchRequest with empty NR security capability bitstrings
Ella Core is a 5G core designed for private networks. Prior to 1.5.1, Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service. An attacker able to send...
CVE-2026-32320
Ella Core (5G private-net core) is affected by a DoS when processing a PathSwitchRequest that contains UE Security Capabilities with zero-length NR encryption or integrity protection bitstrings. The issue can crash the process via crafted NGAP messages, leading to service disruption for all conne...
EUVD-2026-11724
Ella Core: AMF DoS via malformed PathSwitchRequest with empty NR security capability bitstrings...
GHSA-J478-P7VQ-3347 Ella Core: AMF DoS via malformed PathSwitchRequest with empty NR security capability bitstrings
Summary Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service. Impact An attacker able to send crafted NGAP messages to Ella Core can crash the process,...
Ella Core: AMF DoS via malformed PathSwitchRequest with empty NR security capability bitstrings
Summary Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service. Impact An attacker able to send crafted NGAP messages to Ella Core can crash the process,...
PT-2025-23617 · Open5Gs · Open5Gs
Name of the Vulnerable Software and Affected Versions: Open5GS versions up to 2.7.3 Description: A vulnerability was found in the function ngap handle path switch request transfer of the file src/smf/ngap-handler.c of the component NGAP PathSwitchRequest Message Handler. The manipulation leads to...