Lucene search
K

4 matches found

NVD
NVD
added 2026/05/27 5:16 p.m.26 views

CVE-2026-42081

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the...

7.1CVSS0.00266EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/05/11 3:29 p.m.9 views

Ella Core has a UE Security Capability bypass on NGAP PathSwitchRequest

Summary Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest...

6.1CVSS5.9AI score0.00148EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 1:53 a.m.10 views

Free5GC AMF Bypasses UE Security Capabilities on NGAP PathSwitchRequest

Summary The AMF in Free5GC v4.2.1 does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, whic...

7.1CVSS5.9AI score0.00266EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/05/07 1:53 a.m.6 views

GHSA-77X9-RF64-92GV Free5GC AMF Bypasses UE Security Capabilities on NGAP PathSwitchRequest

Summary The AMF in Free5GC v4.2.1 does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, whic...

6.1CVSS5.9AI score0.00266EPSS
Exploits1References4
Rows per page
Query Builder